0% found this document useful (0 votes)
19 views1 page

OAuth2.0 Best Practises

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
19 views1 page

OAuth2.0 Best Practises

Uploaded by

suresh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Security Cheat Sheet

Version 2020.001

OAuth 2.0 best practices for developers


OAuth 2.0 is an elaborate framework, which continuously evolves to address current needs and security considerations. The
framework is even evolving into a consolidated OAuth 2.1 specification. This cheat sheet offers an overview of current security
best practices for developers building OAuth 2.x client applications.

General recommendations Recommendations for backend clients

Use the Authorization Code flow in every redirect scenario Use client authentication in Step 10
Always use Proof Key for Code Exchange (PKCE) Prefer key-based authentication over shared client secrets
The client includes a challenge based on a secret in Step 1 Encrypt access tokens and refresh tokens in storage
The client includes the secret verifier in Step 10 Store the encryption keys using a secret management service
When using refresh tokens, apply additional protection Use proof-of-possession access/refresh tokens
Rotate refresh tokens and act upon double use of a token Using sender-constrained tokens requires possession of a secret
Invalidate refresh tokens for web applications when ...
– the user explicitly logs out of the security token service Recommendations for frontend web clients
– the user’s session with the security token service expires
Invalidate refresh tokens when the user’s password changes Use the Authorization Code flow with PKCE for new projects
Include an audience in the flow and in the access tokens The Implicit flow is not broken, but should be phased out
This restricts who accepts the access token in Step 12 Be careful with using refresh tokens in web applications
Restrict the capabilities of bearer access tokens Do not use long-lived refresh tokens in the browser
Keep the lifetime of access tokens as short as possible Ensure that refresh tokens are protected (see on the left)
Use scopes to restrict the permissions associated with a token Focus on preventing XSS vulnerabilities in the frontend
XSS results in the complete compromise of the client application
References Avoiding the use of LocalStorage is not an XSS defense

OAuth 2.0 threat model and security considerations Recommendations for native clients
OAuth 2.0 Security Best Current Practice
The OAuth 2.1 Authorization Framework (draft) Use a system browser instead of an embedded browser
On mobile, use SFSafariViewController or Chrome Custom Tabs
Encrypt access tokens and refresh tokens in storage
Store the encryption keys in a key store provided by the OS

Is OAuth 2.0 and OpenID Connect causing you frustration?


Your shortcut to understanding OAuth 2.0 and OIDC is right here
Best practices
https://courses. pragmaticwebsecurity.com/ for SPAs and APIs

You might also like