OAuth 2.0 Security Best Current Practice
This document describes best current security practice for OAuth 2.0.
It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.
Appears in lists (1)
More like this (3)
An offensive guide to the authorization code grant Despite a fundamental problem of every application and...An offensive guide to the authorization code grant Despite a fundamental problem of every application and many best practice. Yet, implementaion of many OAuth still has bug when first rolling out. Even Apple. NCCGroup developed the desire for a comprehensive and digestible enumeration of security concerns in the OAuth 2.0 Authorization Code flow, from an end-user (or penetration tester)’s external vantage. This post will introduce, break down the observable vulnerabilities, and explain the exploitation of each the following aspects of the Authorization Code flow.