Overview#

OAuth 2.0 Security Considerations are Security Considerations that should be read and when applicable implemented when using OAuth 2.0.

OAuth 2.0 Security Considerations is LDAPWiki's "catch all" for OAuth 2.0, OpenID Connect and User-Managed Access Security Considerations:

• OAuth 2.0 Vulnerabilities
• OAuth 2.0 Threat Model and Security Configurations
• OAuth 2.0 Security Best Current Practice
• Internet Draft JSON Web Token Best Current Practices
• Internet Draft OAuth 2.0 JWT Secured Authorization Request
• Internet Draft OAuth 2.0 Authorization Server Metadata
• Explicit Endpoint
• Covert Redirect Vulnerability

Confidentiality and Integrity#

The OAuth 2.0 protocol does not guarantee Confidentiality or Integrity of communications. That means you MUST protect HTTP communications using an additional layer. The usage of SSL/TLS (HTTPS) to encrypt the communication channel from the client to the server.

Always use HTTPS for OAuth 2.0, as it it the only way to guarantee message Confidentiality or Integrity!

Token Life#

The spec does not mandate the lifetime and scope of the issued Tokens. The implementation is free to have a Token live forever. Although most of the implementations provide us with short-lived Access Tokens and a Refresh Token, be sure to check the Token lifetime and scope.

More Information#

There might be more information for this subject on one of the following:

• Best Practices OpenID Connect
• Form Post Response Mode
• OAuth 2.0
• OAuth 2.0 Tokens
• OAuth Public Client