Recommendations for using OAuth and OIDC

OAuth 2.0/OpenID Connect in general

OAuth 2.0 / OpenID Connect must be considered a framework for designing solutions to delegate access. The framework allows for a lot of flexibility.

  1. For any solution designed in this framework, be aware of the following:
  2. The fact that a solution follows the OAuth 2.0 specification does not imply that the solution is secure. To obtain secure solutions, one must specifically design them for the security requirements at hand and ensure their security using appropriate measures such as, but not limited to:
    • security consulting,
    • internal and external security reviews in the design,
    • implementation and integration phase,
    • penetration tests.
  3. The framework has been designed to allow access delegation. However, OAuth 2.0 is often employed to implement single sign-on (i.e., to achieve authentication goals). Historically, this has led to many vulnerable authentication solutions. We would like to stress our recommendation (1.), especially in this case.

OAuth 2.0/OpenID Connect in mobile applications

Over the past few years, the use of OAuth 2.0/OpenID Connect for mobile applications has increased drastically. This led to a variety of vulnerable implementations.

  1. In particular, the following points are important for secure implementations:
  2. The OAuth 2.0 framework heavily relies on browser redirects. If this mechanism is omitted or replaced by other mechanisms in mobile applications, these solutions are prone to be insecure.
  3. Public native app clients should implement the Proof Key for Code Exchange (PKCE) extension to OAuth. Airlock IAM as authorization servers should be configured to use PKCE support to secure the authorization process.
  4. OAuth 2.0 authorization requests from native apps should only be made through external user agents, i.e., the user's browser.
  5. Using the Implicit Grant has led to insecure solutions. This grant type is not recommended for mobile applications.
  6. The general points discussed in the previous subsection.