All are that have or are thinking about OAuth 2.0 Security Concerns should review OAuth 2.0 Threat Model and Security Configurations.

Confidentiality and Integrity#

The OAuth2 protocol does not guarantee Confidentiality or Integrity of communications. That means you must protect HTTP communications using an additional layer. The usage of SSL/TLS (HTTPS) to encrypt the communication channel from the client to the server.

In a nutshell, always use HTTPS for OAuth 2.0, as it's the only way to guarantee message Confidentiality or Integrity!

Token Life#

The spec does not mandate the lifetime and scope of the issued Tokens. The implementation is free to have a Token live forever. Although most of the implementations provide us with short-lived Access Tokens and a Refresh Token, be sure to check the Token lifetime and scope.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 16-Jun-2015 15:21 by jim