Overview#

Best Practices for OpenID Connect and OAuth 2.0

OAuth 2.0 and OpenID Connect APIs can be used for both authentication and authorization so the security implications of getting the implementation correct, we strongly encourage you to take advantage of a pre-written library or service. Authenticating users properly is important to their and your safety and security, and using well-debugged code written by others is generally a Best Practice.

OAuth 2.0 Threat Model and Security Configurations

Best Practices OpenID Connect for Specific Implementations #

• For Native application BCP 212
• Best Practices in Authorization for FHIR (http://docs.smarthealthit.org/authorization/best-practices/)
• OAuth 2.0 Security Considerations
• JSON Web Token Best Current Practices
• OAuth 2.0 Authorization Server Metadata
• Explicit Endpoint
• OAuth 2.0 Vulnerabilities
• OAuth 2.0 Security Best Current Practice
• OAuth 2.0 Security-Closing Open Redirectors in OAuth

HTTP POST#

• Use Form Post Response Mode

Minimal Identity Token Validation#

• iss - this value MUST match the OpenID Connect Discovery issuer value
• aud - this MUST be your client_id
• nonce - This MUST be the nonce value you sent in your request
• exp - verify the assertion has not expired
• Verify the JWS Digital Signature of the JWT id_token

OPTIONAL Validations:#

• at_hash - verify that your are using the correct access Token
• s_hash - verify the hash of the OAuth state parameter
• iat - maybe you want an id_token that was issued within a certain time frame?
• auth_time - Perhaps it has been longer than you think is reasonable and you can send the OpenID Connect Provider a prompt Parameter (prompt=login) to the Authorization_endpoint

OpenID Connect Implementer's Guides#

Read the OpenID Connect Implementer's Guides

Advanced OpenID Connect Clients#

• Use the Hybrid Flow
• Be sure you only send the Authorization Code to the correct issuer to prevent a IDP mix-up attack.
• Use a distinct redirect_uri for each OpenID Connect Provider
• If using a OAuth Public Client implement Proof Key for Code Exchange by OAuth Public Clients and use SHA-2 (AppAuth is reccomended)
• Use TLS 1.2 or later and follow RFC 7525
• implement Mutual TLS Profiles for OAuth Clients or Token Binding Protocol
• Use acr_values sending in the OpenID Connect Authentication Request
  • default_acr_values can be registered in the OAuth 2.0 Client Registration
  • verify id_token for acceptable acr claim.
• Use FIDO
• Cryptography Guidlines
  • RSA should use minimum 2048 bit keys
  • Elliptic Curve key should be minimum of 160 bits
  • client Secret should be minimum of 128 bits is using symmetric Key Cryptography
  • Use PS256 or ES256 Digital Signature algorithms
  • OpenID Connect Federation provides an out-of-band Key-Exchange for signing keys.

More Information#

There might be more information for this subject on one of the following:

• Authorization Code Flow