Best Practices

• Use widely used and well-known libraries instead of rolling-your-own implementations.
• Avoid performing unnecessary network calls to identity providers
  • Cache public keys if possible, somewhere between 1 to 24 hours.
  • Cache tokens locally if possible.
• For the OpenID Connect Authorization Code Flow, use PKCE.
  • Do not use the implicit grant - it is considered deprecated and less secure.
• If using cookies, ensure that you set appropriate attributes:
  • HttpOnly - disallow access from client-side JavaScript
  • Secure - only allow transmission for HTTPS requests
  • SameSite - should be Lax eller Strict to combat cross-site request forgery.

It is also recommended that you familiarize yourself with the following specifications:

• RFC 6819 - OAuth 2.0 Threat Model and Security Considerations
• Draft RFC - OAuth 2.0 Security Best Current Practice

---

Last update: 2022-03-30
Created: 2022-03-30