OAuth 2.0 Security Considerations


OAuth 2.0 Security Considerations are Security Considerations that should be read and when applicable implemented when using OAuth 2.0.

OAuth 2.0 Security Considerations All are that have or are thinking about OAuth 2.0 Security Considerations should review OAuth 2.0 Threat Model and Security Configurations.

Confidentiality and Integrity#

The OAuth2 protocol does not guarantee Confidentiality or Integrity of communications. That means you must protect HTTP communications using an additional layer. The usage of SSL/TLS (HTTPS) to encrypt the communication channel from the client to the server.

In a nutshell, always use HTTPS for OAuth 2.0, as it's the only way to guarantee message Confidentiality or Integrity!

Token Life#

The spec does not mandate the lifetime and scope of the issued Tokens. The implementation is free to have a Token live forever. Although most of the implementations provide us with short-lived Access Tokens and a Refresh Token, be sure to check the Token lifetime and scope.

OAuth 2.0 Security Considerations Other #

More Information#

There might be more information for this subject on one of the following: