Best Practices¶
- Use widely used and well-known libraries instead of rolling-your-own implementations.
- Avoid performing unnecessary network calls to identity providers
- Cache public keys if possible, somewhere between 1 to 24 hours.
- Cache tokens locally if possible.
- For the OpenID Connect Authorization Code Flow, use PKCE.
- Do not use the implicit grant - it is considered deprecated and less secure.
- If using cookies, ensure that you set appropriate attributes:
HttpOnly
- disallow access from client-side JavaScriptSecure
- only allow transmission for HTTPS requestsSameSite
- should beLax
ellerStrict
to combat cross-site request forgery.
It is also recommended that you familiarize yourself with the following specifications:
- RFC 6819 - OAuth 2.0 Threat Model and Security Considerations
- Draft RFC - OAuth 2.0 Security Best Current Practice
Last update:
2022-03-30
Created: 2022-03-30
Created: 2022-03-30