Security best practices for OAuth 2.0 and OIDC

For OAuth 2.0 and OpenID Connect, the following security best practices are recommended:

• For mobile apps, the user-agent should be the system browser as recommended by RFC 8252. It should not be an embedded browser or the mobile app itself.
• As a rule, Proof Key for Code Exchange (PKCE), as specified in RFC 7636, should be used. This is especially important for public clients and mobile applications.
• Lifetimes of authorization codes should be very short (a few seconds). Lifetimes of access tokens should be short (less than an hour). Lifetimes of refresh tokens strongly depend on the use case.
• Client secrets should:
• • Have sufficiently high entropy to reduce the risk of brute-force attacks.
  • Be at least 128 bits long, and preferably 256 bits for publicly accessible endpoints.
  • Be generated using a cryptographically secure random number generator, for example, OpenSSL.

  • Example: The following command generates 32 bytes = 256 bits of entropy, encoded in Base64:

  • openssl rand -base64 32

• Recommendation: Instead of client secrets, we highly recommend stronger client authentication methods such as

• • mTLS (X.509 certificates)
  • Private Key JWT (public/private key-based authentication)

• For details, see OAuth 2.0/OIDC client authentication

• Use token revocation and token introspection to ensure authorization server-side control and validity check of tokens.
• Restrict access to endpoints. All endpoints that do not need to be publicly accessible on the internet should be protected by a firewall or WAF/MGW to reduce the attack surface.
• A comprehensive discussion of security considerations is presented in RFC 6819.

Internal links:

• OAuth 2.0/OIDC client authentication
• General security best practices: Security best practices

External links:

• RFC 8252 – OAuth 2.0 for Native Apps
• RFC 7636 – Proof Key for Code Exchange by OAuth Public Clients
• RFC 6819 – OAuth 2.0 Threat Model and Security Considerations