<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[Best Practices] for [OpenID Connect] and [OAuth 2.0]

[OAuth 2.0] and [OpenID Connect] [APIs] can be used for both [authentication] and [authorization] so the [security implications|Security Considerations] of getting the [implementation] correct, we strongly encourage you to take advantage of a pre-written library or service. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a [Best Practice]. 

[OAuth 2.0 Threat Model and Security Configurations]


!! [{$pagename}] for Specific [Implementations] 
* For [Native application] [BCP 212]
* [Best Practices] in [Authorization] for [FHIR] ([http://docs.smarthealthit.org/authorization/best-practices/|http://docs.smarthealthit.org/authorization/best-practices/|target='_blank'])
* [OAuth 2.0 Security Considerations]
* [JSON Web Token Best Current Practices]
* [OAuth 2.0 Authorization Server Metadata]
* [Explicit Endpoint]
* [OAuth 2.0 Vulnerabilities]
* [OAuth 2.0 Security Best Current Practice]
* [OAuth 2.0 Security-Closing Open Redirectors in OAuth]

!! [HTTP POST]
* Use [Form Post Response Mode]

!! Minimal [Identity Token Validation]
* [iss] - this value [MUST] match the [OpenID Connect Discovery] [issuer] value
* [aud] - this [MUST] be your [client_id]
* [nonce] - This [MUST] be the [nonce] value you sent in your request
* [exp] - verify the [assertion] has not expired
* Verify the [JWS] [Digital Signature] of the [JWT] [id_token]

! [OPTIONAL] [Validations]:
* [at_hash] - verify that your are using the correct [access Token]
* [s_hash] - verify the hash of the [OAuth state parameter]
* [iat] - maybe you want an [id_token] that was issued within a certain time frame?
* [auth_time] - Perhaps it has been longer than you think is reasonable and you can send the [OpenID Connect Provider] a [prompt Parameter] (prompt=login) to the [Authorization_endpoint]

!! [OpenID Connect Implementer's Guides]
Read the [OpenID Connect Implementer's Guides]

!! Advanced [OpenID Connect] [Clients]
* Use the [Hybrid Flow]
* Be sure you only send the [Authorization Code] to the correct [issuer] to prevent a [IDP] mix-up [attack].
* Use a distinct [redirect_uri] for each [OpenID Connect Provider]
* If using a [OAuth Public Client] implement [Proof Key for Code Exchange by OAuth Public Clients] and use [SHA-2] ([AppAuth] is reccomended)
* Use [TLS 1.2] or later and follow [RFC 7525]
* implement [Mutual TLS Profiles for OAuth Clients] or [Token Binding Protocol]
* Use [acr_values] sending in the [OpenID Connect] [Authentication Request]
** [default_acr_values] can be registered in the [OAuth 2.0 Client Registration]
** verify [id_token] for acceptable [acr] claim.
* Use [FIDO]
* [Cryptography] Guidlines
** [RSA] should use minimum 2048 bit keys
** [Elliptic Curve] key should be minimum of 160 bits
** [client Secret] should be minimum of 128 bits is using [symmetric Key Cryptography]
** Use [PS256] or [ES256] [Digital Signature] [algorithms]
** [OpenID Connect Federation] provides an out-of-band [Key-Exchange] for signing keys.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>