OAuth2.0 Best Practises

Uploaded by

suresh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

22 views1 page

OAuth2.0 Best Practises

Uploaded by

suresh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1

Security Cheat Sheet

Version 2020.001

OAuth 2.0 best practices for developers

OAuth 2.0 is an elaborate framework, which continuously evolves to address current needs and security considerations. The
framework is even evolving into a consolidated OAuth 2.1 specification. This cheat sheet offers an overview of current security
best practices for developers building OAuth 2.x client applications.

General recommendations Recommendations for backend clients

Use the Authorization Code flow in every redirect scenario Use client authentication in Step 10
Always use Proof Key for Code Exchange (PKCE) Prefer key-based authentication over shared client secrets
The client includes a challenge based on a secret in Step 1 Encrypt access tokens and refresh tokens in storage
The client includes the secret verifier in Step 10 Store the encryption keys using a secret management service
When using refresh tokens, apply additional protection Use proof-of-possession access/refresh tokens
Rotate refresh tokens and act upon double use of a token Using sender-constrained tokens requires possession of a secret
Invalidate refresh tokens for web applications when ...
– the user explicitly logs out of the security token service Recommendations for frontend web clients
– the user’s session with the security token service expires
Invalidate refresh tokens when the user’s password changes Use the Authorization Code flow with PKCE for new projects
Include an audience in the flow and in the access tokens The Implicit flow is not broken, but should be phased out
This restricts who accepts the access token in Step 12 Be careful with using refresh tokens in web applications
Restrict the capabilities of bearer access tokens Do not use long-lived refresh tokens in the browser
Keep the lifetime of access tokens as short as possible Ensure that refresh tokens are protected (see on the left)
Use scopes to restrict the permissions associated with a token Focus on preventing XSS vulnerabilities in the frontend
XSS results in the complete compromise of the client application
References Avoiding the use of LocalStorage is not an XSS defense

OAuth 2.0 threat model and security considerations Recommendations for native clients
OAuth 2.0 Security Best Current Practice
The OAuth 2.1 Authorization Framework (draft) Use a system browser instead of an embedded browser
On mobile, use SFSafariViewController or Chrome Custom Tabs
Encrypt access tokens and refresh tokens in storage
Store the encryption keys in a key store provided by the OS

Is OAuth 2.0 and OpenID Connect causing you frustration?

Your shortcut to understanding OAuth 2.0 and OIDC is right here
Best practices
https://courses. pragmaticwebsecurity.com/ for SPAs and APIs

OAuth 2 Simplified
No ratings yet
OAuth 2 Simplified
12 pages
Cracking The Java Interview - Top Q&A
No ratings yet
Cracking The Java Interview - Top Q&A
19 pages
Network Security - Unit 1: - Introduction
No ratings yet
Network Security - Unit 1: - Introduction
43 pages
Embedded Systems Internship PPT Final2
No ratings yet
Embedded Systems Internship PPT Final2
13 pages
Virtual Systems & Services Lecture 12
No ratings yet
Virtual Systems & Services Lecture 12
14 pages
Visual Basic
No ratings yet
Visual Basic
19 pages
ICT EPC-3 Project
No ratings yet
ICT EPC-3 Project
27 pages
OLT Onu Radio - Drawio
No ratings yet
OLT Onu Radio - Drawio
1 page
Spring Boot
No ratings yet
Spring Boot
7 pages
Linux Commands-2
No ratings yet
Linux Commands-2
16 pages
Constraint Deltalake Pyspark
No ratings yet
Constraint Deltalake Pyspark
9 pages
CAPIE - Chapter 1.3 Authentication and Authorization
No ratings yet
CAPIE - Chapter 1.3 Authentication and Authorization
14 pages
2-Spring Data Jan 25
No ratings yet
2-Spring Data Jan 25
14 pages
Advance Web Technology
No ratings yet
Advance Web Technology
98 pages
Swipe ??
No ratings yet
Swipe ??
20 pages
SAP SD Important Tables For SD Consultants
No ratings yet
SAP SD Important Tables For SD Consultants
9 pages
CNIL - Transfer Impact Assessment Practical Guide
No ratings yet
CNIL - Transfer Impact Assessment Practical Guide
28 pages
Play Claw 7
No ratings yet
Play Claw 7
11 pages
Day 16 of 30
No ratings yet
Day 16 of 30
11 pages
K8s Horizontal Pod Autoscaling
No ratings yet
K8s Horizontal Pod Autoscaling
12 pages
AWS Waste Management Application
No ratings yet
AWS Waste Management Application
9 pages
Docker With NFS
No ratings yet
Docker With NFS
2 pages
Hands-On Guide Running DeepSeek LLMs Locally
No ratings yet
Hands-On Guide Running DeepSeek LLMs Locally
10 pages
1-Spring Boot MS Bank App Step by Setp Jan 25
No ratings yet
1-Spring Boot MS Bank App Step by Setp Jan 25
29 pages
AWS Athena Serverless Querying
No ratings yet
AWS Athena Serverless Querying
6 pages
Java Interview-1
No ratings yet
Java Interview-1
9 pages
????? & ?????-????? ?????????????? ???????
No ratings yet
????? & ?????-????? ?????????????? ???????
17 pages
Core Fundamentals Java Developers Must Know
No ratings yet
Core Fundamentals Java Developers Must Know
11 pages
Day 17 of 30
No ratings yet
Day 17 of 30
7 pages
4-SpringBoot BlogPost Project Jan 25
No ratings yet
4-SpringBoot BlogPost Project Jan 25
8 pages
Oauth 2 - Documentation
No ratings yet
Oauth 2 - Documentation
5 pages
Java Design Patterns
No ratings yet
Java Design Patterns
9 pages
Cs6001 Unit I Csharp Notes Revsd
No ratings yet
Cs6001 Unit I Csharp Notes Revsd
37 pages
Midex2023 Solutions
No ratings yet
Midex2023 Solutions
8 pages
AWS DevOps Interview Q&A
No ratings yet
AWS DevOps Interview Q&A
5 pages
1-Spring Boot Productapp Application Jan 25
No ratings yet
1-Spring Boot Productapp Application Jan 25
38 pages
Wireshark Display Filters Cheat Sheet
No ratings yet
Wireshark Display Filters Cheat Sheet
2 pages
Advanced Programming
No ratings yet
Advanced Programming
3 pages
IT Troubleshooting
No ratings yet
IT Troubleshooting
3 pages
Java Streams
No ratings yet
Java Streams
13 pages
Roles and Responsibilities of L1, L2 and L3 With Scenarios
No ratings yet
Roles and Responsibilities of L1, L2 and L3 With Scenarios
34 pages
MT - M03 - C02 - SLM - Mobile Application Testing Features and Challenges PDF
No ratings yet
MT - M03 - C02 - SLM - Mobile Application Testing Features and Challenges PDF
22 pages
Uhand Secondary Development Kit User Manual
No ratings yet
Uhand Secondary Development Kit User Manual
18 pages
API Security
No ratings yet
API Security
31 pages
FT Turing
No ratings yet
FT Turing
12 pages
5-MS Communication Jan 25
No ratings yet
5-MS Communication Jan 25
4 pages
10 19uecpc505 A 5 36assignment-2 DSP-ST
No ratings yet
10 19uecpc505 A 5 36assignment-2 DSP-ST
4 pages
OAuth 2.0 Detailed With Example
No ratings yet
OAuth 2.0 Detailed With Example
3 pages
API Testing Practical Guide - QA - SDET
No ratings yet
API Testing Practical Guide - QA - SDET
7 pages
Scrum Master Roles
No ratings yet
Scrum Master Roles
19 pages
API Security
No ratings yet
API Security
21 pages
Ge Egd Manual
No ratings yet
Ge Egd Manual
47 pages
?DevOps Interview Disaster - Avoid These Pitfalls!?
No ratings yet
?DevOps Interview Disaster - Avoid These Pitfalls!?
7 pages
4 Authentication
No ratings yet
4 Authentication
3 pages
SEE Electrical 7R2
No ratings yet
SEE Electrical 7R2
5 pages
Kubernetes Deployments
No ratings yet
Kubernetes Deployments
5 pages
4 Architecting Azure Solutions 70 534 Secure Resources m4 Slides
No ratings yet
4 Architecting Azure Solutions 70 534 Secure Resources m4 Slides
32 pages
Authentication and Authorization Overview
No ratings yet
Authentication and Authorization Overview
10 pages
Week3-Lesson1-A Survey Paper On Social Sign-On Protocol OAuth 2.0
No ratings yet
Week3-Lesson1-A Survey Paper On Social Sign-On Protocol OAuth 2.0
4 pages
Microprocessor 8085 Ramesh Gaonkar: Architecture, Programming, and Applications With The by
No ratings yet
Microprocessor 8085 Ramesh Gaonkar: Architecture, Programming, and Applications With The by
37 pages
Custom Logic
No ratings yet
Custom Logic
12 pages
Remote Procedure Call
No ratings yet
Remote Procedure Call
6 pages
OAuth Grant Types - English
No ratings yet
OAuth Grant Types - English
8 pages
What Is Oauth2
No ratings yet
What Is Oauth2
2 pages
Secure Coding Practices & Tools 2
No ratings yet
Secure Coding Practices & Tools 2
15 pages
Authetication Flow
No ratings yet
Authetication Flow
3 pages
API Scenario Checklist-Old
No ratings yet
API Scenario Checklist-Old
14 pages
Digital Communication PPT Aditya Baraskar
No ratings yet
Digital Communication PPT Aditya Baraskar
8 pages
Web Archive Org Web 20201101013657 Tools Ietf Org Id Draft Ietf Oauth Security T
No ratings yet
Web Archive Org Web 20201101013657 Tools Ietf Org Id Draft Ietf Oauth Security T
28 pages
Notes
No ratings yet
Notes
3 pages
Accedian SkyLIGHT Value Proposition
No ratings yet
Accedian SkyLIGHT Value Proposition
44 pages
DMR Trunking Terminal CPS ProgrammingV1.0
No ratings yet
DMR Trunking Terminal CPS ProgrammingV1.0
42 pages
Digital Nurture 2.0 - GenC Pro Qualifier Test Results
No ratings yet
Digital Nurture 2.0 - GenC Pro Qualifier Test Results
2 pages
Himatrix Series
No ratings yet
Himatrix Series
110 pages
Restfulapi Net Security Essentials
No ratings yet
Restfulapi Net Security Essentials
18 pages
Mikhail Shcherbakov ASPdotNETSecurity20
No ratings yet
Mikhail Shcherbakov ASPdotNETSecurity20
82 pages
OAuth 2
No ratings yet
OAuth 2
4 pages
BSCP3
No ratings yet
BSCP3
13 pages
Siemens 6RA70 DC SCR Drive Brochure
No ratings yet
Siemens 6RA70 DC SCR Drive Brochure
12 pages
Implementation of A Chat Bot System Using AI and NLP: Research
No ratings yet
Implementation of A Chat Bot System Using AI and NLP: Research
6 pages
Oauth Overview
No ratings yet
Oauth Overview
45 pages
OAuth2 COSCUP
No ratings yet
OAuth2 COSCUP
58 pages
Big Data 1 PDF
No ratings yet
Big Data 1 PDF
17 pages
IZO Cloud Platform & Services Sales Playbook
No ratings yet
IZO Cloud Platform & Services Sales Playbook
55 pages
OpenID Connect Core 1.0 Incorporating Errata Set 2
No ratings yet
OpenID Connect Core 1.0 Incorporating Errata Set 2
84 pages
Unit 3
No ratings yet
Unit 3
13 pages
Demystifyingoauth
No ratings yet
Demystifyingoauth
57 pages
Web API Security
No ratings yet
Web API Security
29 pages
OAuth 2
No ratings yet
OAuth 2
6 pages
SDFNSDJFSLF Lkwhat Are Refresh Tokens and How To Use Them Securely
No ratings yet
SDFNSDJFSLF Lkwhat Are Refresh Tokens and How To Use Them Securely
14 pages
Introduction o Auth
No ratings yet
Introduction o Auth
124 pages
Part 1 - Best Practices
No ratings yet
Part 1 - Best Practices
48 pages
API Security With OpenID Connect and Red Hat 3scale API Management
No ratings yet
API Security With OpenID Connect and Red Hat 3scale API Management
57 pages
Exchange The Contents of Memory Locations
No ratings yet
Exchange The Contents of Memory Locations
4 pages
Apisecuritywithoauth 181030043459
No ratings yet
Apisecuritywithoauth 181030043459
39 pages
OAuth2 Authorization Patterns and Microservices - by Johan Sydseter - Norway Community Site - Medium
No ratings yet
OAuth2 Authorization Patterns and Microservices - by Johan Sydseter - Norway Community Site - Medium
5 pages
OAuth 2.0 Resume
No ratings yet
OAuth 2.0 Resume
1 page
API Security
No ratings yet
API Security
51 pages
OAuth Exploitation
No ratings yet
OAuth Exploitation
5 pages
REST Authentication
No ratings yet
REST Authentication
21 pages
Oauth2.0 Tutorial PDF
0% (1)
Oauth2.0 Tutorial PDF
17 pages
API Security
No ratings yet
API Security
1 page
Oauth2.0 Tutorial PDF
0% (1)
Oauth2.0 Tutorial PDF
17 pages
Dzone Refcard 347 Oauth Patterns Anti Patterns 202
No ratings yet
Dzone Refcard 347 Oauth Patterns Anti Patterns 202
6 pages
OAuth - Balint Erdi and Philippe de Ryck
No ratings yet
OAuth - Balint Erdi and Philippe de Ryck
87 pages
Securing Web Apis With Oauth 2.0: Article
No ratings yet
Securing Web Apis With Oauth 2.0: Article
13 pages
A Survey Paper On Social Sign-On Protocol Oauth 2.0
No ratings yet
A Survey Paper On Social Sign-On Protocol Oauth 2.0
4 pages
BCP 78 BCP 79
No ratings yet
BCP 78 BCP 79
43 pages
Oauth 2.0 Authentication Vulnerabilities
No ratings yet
Oauth 2.0 Authentication Vulnerabilities
20 pages
Whitepaper - DCE - OAuth2.0 Implementation
No ratings yet
Whitepaper - DCE - OAuth2.0 Implementation
9 pages
Codebits12 - Oauth2 - Theory and Practice - Slides
100% (1)
Codebits12 - Oauth2 - Theory and Practice - Slides
34 pages
Understanding Oauth 2
No ratings yet
Understanding Oauth 2
14 pages
Mastering OAuth 2 0 Sample Chapter PDF
No ratings yet
Mastering OAuth 2 0 Sample Chapter PDF
15 pages
Identity Server 3
No ratings yet
Identity Server 3
11 pages
Rest Security by Example Frank Kim
No ratings yet
Rest Security by Example Frank Kim
62 pages
WSO2 Inc - Securing Your Web Service With OAuth2 Using WSO2 Identity Server - 2014-03-28
No ratings yet
WSO2 Inc - Securing Your Web Service With OAuth2 Using WSO2 Identity Server - 2014-03-28
11 pages
The Oauth 2.0 Authorization Framework Draft-Ietf-Oauth-V2-27
No ratings yet
The Oauth 2.0 Authorization Framework Draft-Ietf-Oauth-V2-27
48 pages
The OAuth 2.0 Authorization Framework
100% (1)
The OAuth 2.0 Authorization Framework
48 pages