OAuth 2.0 Authentication
Last updated
Last updated
This page contains recommendations for the implementation of OAuth 2.0 authentication.
Do not implement support of OAuth2 authentication from scratch. Instead, use well know and up-to-date frameworks or packages.
Use the Authorization Grant Flow to implement OAuth2 authentication.
Do not use the Implicit Grant Flow. Disable the use of the Implicit Grant Flow if a framework or package supports the flow.
Use URLs from an allow list as redirect_uri
.
Do not use wildcards for defining redirect_uri
.
Use a unique allow list with redirect_uri
for each OAuth2 client.
Implement CSRF protection using the state
parameter, see the Vulnerability Mitigation: Cross-Site Request Forgery (CSRF) page.
Generate a unique state
parameter for each authentication attempt.
Generate the state
parameter using a cryptographically strong random generator, see the Cryptography: Random Generators page.
Use the state
parameter of length 16+ bytes.
Generate a unique authorization code
for each authentication attempt.
Generate the authorization code
using a cryptographically strong random generator, see the Cryptography: Random Generators page.
Use authorization codes
of length 16+ bytes.
Set expiration time for an authorization code
< 1 hour.
Use an authorization code once. Delete an authorization code or transfer it to a final status that prohibits reusing.
Do not redirect users to URLs specified in the parameters without checking them against an allow list.
Do not assign OAuth authentication for already existing accounts during authentication.
Comply with requirements from the Error and Exception Handling page.
Log all authentication decisions (successful and not successful), see the Logging and Monitoring page.
Successful authentication
Failed authentication
Successful connection to an OAuth provider
Failed connection to an OAuth provider
Disconnect an OAuth provider
Comply with requirements from the Sensitive Data Management page.
Limit the number of attempts to sign in for a certain period, see the Vulnerability Mitigation: Brute-force page.
Enforce multi-factor authentication, see the Authentication: Multi-factor Authentication page.
Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.
Use the oauth2 package, that implements an OAuth2 client.