Why does Office Online pass the access token in both the Authorization HTTP header and as a URL parameter?¶
This is done primarily for compatibility reasons. Some host rely on the Authorization header because they are using an OAuth stack for creating and managing WOPI access tokens. Because WOPI does not define a way for a host to indicate that they are using OAuth, Office Online passes the access token both ways for maximum compatibility.
As a best practice, WOPI hosts should use the access token value from the URL parameter. This is the preferred way to pass access tokens, and not all WOPI clients will pass it in the Authorization header.