- Use widely used and well-known libraries instead of rolling-your-own implementations.
- Avoid performing unnecessary network calls to identity providers
- Cache public keys if possible, somewhere between 1 to 24 hours.
- Cache tokens locally if possible.
- For the OpenID Connect Authorization Code Flow, use PKCE.
- Do not use the implicit grant - it is considered deprecated and less secure.
- If using cookies, ensure that you set appropriate attributes:
Secure- only allow transmission for HTTPS requests
SameSite- should be
Strictto combat cross-site request forgery.
It is also recommended that you familiarize yourself with the following specifications:
- RFC 6819 - OAuth 2.0 Threat Model and Security Considerations
- Draft RFC - OAuth 2.0 Security Best Current Practice
Last update: 2022-03-30