OAuth 2.0 Security Considerations are Security Considerations
that should be read and when applicable implemented when using OAuth 2.0
OAuth 2.0 Security Considerations is Ldapwiki's "catch all" for OAuth 2.0, OpenID Connect and User-Managed Access Security Considerations:
The OAuth 2.0 protocol
does not guarantee Confidentiality
of communications. That means you MUST
communications using an additional layer. The usage of SSL
(HTTPS) to encrypt the communication channel from the client to the server.
Always use HTTPS for OAuth 2.0, as it it the only way to guarantee message Confidentiality or Integrity!
The spec does not mandate the lifetime and scope of the issued Tokens
. The implementation is free to have a Token
live forever. Although most of the implementations provide us with short-lived Access Tokens
and a Refresh Token
, be sure to check the Token
lifetime and scope.
There might be more information for this subject on one of the following: