OAuth 2.0 – Security

  • Protecting Redirect-Based Flows
    • Exact matching of client redirect URIs against pre-registred URIs
    • Avoid forwarding the user ‘s browser to a URI obtained from query parameter (if needed implement appropriate countermeasures against open redirection)
    • Prevent CSRF by implementing one-time CSRF token (state parameter)
    • Validate that all request came from the same user agent / client.
    • Authorization Code Grant
      • Clients utilizing the authorization grant type must use PKC
    • Implicit Grant
      • Should not use
  • Token Replay Prevention
    • Authorization server should use end-to-end TLS whenever possible
    • Refresh token rotation must be implemented
    • One-time refresh token
  • Access Token Privilege Restriction
    • The privileges associated with an access token SHOULD be restricted the minimum required for the particular application or use case.
    • Access tokens SHOULD be restricted to certain resource servers preferably to a single resource server
    • Additionally, access tokens SHOULD be restricted to certain resources and actions on resource servers or resources.
  • Attacks
    • Insufficient Redirect URI Validation
    • Credential Leakage via Referrer Headers
      • Stealing the authorization code through the reference
      • Stealing the access token through the reference
    • Attacks through the Browser History
      • Code in Browser History
      • Access Token in Browser History
    • Authorization Code Injection
    • Access Token Injection
    • Cross Site Request Forgery attack against the client
    • Access Token Leakage at the Resource Server
    • Compromised Resource Server
      • XSS, SQL Injection and other
    • Open Redirect
      • Stealing the token through an open redirect
    • Theft of client credentials from JavaScript-only application
    • Token replays
  • Reference
    • https://tools.ietf.org/pdf/draft-ietf-oauth-security-topics-12.pdf
    • OAuth 2 in Action by Mr Justin Richer