Konubinix' opinionated web of thoughts

OAuth 2.0 Security Best Current Practice

Fleeting

See OAuth 2 with Single-Page Apps

authorization servers MUST utilize exact string matching except for port numbers in localhost redirection URIs of native apps

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8

Public clients MUST use PKCE

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8

clients SHOULD NOT use the implicit grant (response type “token”)

[…]

Clients SHOULD instead use the response type “code” (aka authorization code grant type)

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-introduction-8

prevent abuse of the phished access token at the legitimate resource server

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-audience-restricted-access-

audience can be expressed using logical names or physical addresses (like URLs). To prevent phishing, it is necessary to use the actual URL the client will send requests to. In the phishing case, this URL will point to the counterfeit resource server. If the attacker tries to use the access token at the legitimate resource server (which has a different URL), the resource server will detect the mismatch (wrong audience) and refuse to serve the request

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.10.2-3

Misuse of Stolen Access Tokens

Notes pointant ici