OAuth 2.0 Authentication
Overview
This page contains recommendations for the implementation of OAuth 2.0 authentication.
General
Do not implement support of OAuth2 authentication from scratch. Instead, use well know and up-to-date frameworks or packages.
Use the Authorization Grant Flow to implement OAuth2 authentication.
Do not use the Implicit Grant Flow. Disable the use of the Implicit Grant Flow if a framework or package supports the flow.
Use URLs from an allow list as
redirect_uri
.Do not use wildcards for defining
redirect_uri
.Use a unique allow list with
redirect_uri
for each OAuth2 client.Implement CSRF protection using the
state
parameter, see the Vulnerability Mitigation: Cross-Site Request Forgery (CSRF) page.Generate a unique
state
parameter for each authentication attempt.Generate the
state
parameter using a cryptographically strong random generator, see the Cryptography: Random Generators page.Use the
state
parameter of length 16+ bytes.Generate a unique
authorization code
for each authentication attempt.Generate the
authorization code
using a cryptographically strong random generator, see the Cryptography: Random Generators page.Use
authorization codes
of length 16+ bytes.Set expiration time for an
authorization code
< 1 hour.Use an authorization code once. Delete an authorization code or transfer it to a final status that prohibits reusing.
Do not redirect users to URLs specified in the parameters without checking them against an allow list.
Do not assign OAuth authentication for already existing accounts during authentication.
Comply with requirements from the Error and Exception Handling page.
Log all authentication decisions (successful and not successful), see the Logging and Monitoring page.
Successful authentication
Failed authentication
Successful connection to an OAuth provider
Failed connection to an OAuth provider
Disconnect an OAuth provider
Comply with requirements from the Sensitive Data Management page.
Limit the number of attempts to sign in for a certain period, see the Vulnerability Mitigation: Brute-force page.
Enforce multi-factor authentication, see the Authentication: Multi-factor Authentication page.
Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.
Frameworks & packages for implementation of OAuth2 authentication
Use the oauth2 package, that implements an OAuth2 client.
References
Last updated