OAuth 2.0 Threat Model and Security Considerationsfleeting
access token is used by a client to access a resource.
Access tokens typically have short life spans (minutes or hours) that cover typical session lifetimes
refresh token, coupled with a short access token lifetime, can be used to grant longer access to resources without involving end-user authorization. This offers an advantage where resource servers and authorization servers are not the same entity, e.g., in a distributed environment, as the refresh token is always exchanged at the authorization server. The authorization server can revoke the refresh token at any time, causing the granted access to be revoked once the current access token expires. Because of this, a short access token lifetime is important if timely revocation is a high priority.
Authorization “codes” are sent to the client’s redirect URI instead of tokens for two purposes:
Browser-based flows expose protocol parameters to potential attackers via URI query parameters (HTTP referrer), the browser cache, or log file entries, and could be replayed. In order to reduce this threat, short-lived authorization “codes” are passed instead of tokens and exchanged for tokens over a more secure direct connection between the client and the authorization server.
redirect URI helps to detect malicious clients and prevents phishing attacks from clients attempting to trick the user into believing the phisher is the client.
helps to prevent attacks where the authorization “code” is revealed through redirectors and counterfeit web application clients.
The “state” parameter is used to link requests and callbacks to prevent cross-site request forgery attacks