This chapter covers
- Avoiding common implementation vulnerabilities in the OAuth clients
- Protecting OAuth clients against known attacks
As we discussed in chapter 1, in the OAuth ecosystem there are many more clients than other types of components, both in variety and in number. What should you do if you’re implementing a client? Well, you can download the OAuth core specification[1] and follow it as best you can. Additionally, you can read some helpful tutorials from the OAuth community, scattered across a wide variety of mailing lists, blogs, and so on. If you’re particularly keen on security, you can even read the “OAuth 2.0 Threat Model and Security Considerations” specification[2] and follow similar best practice guides. But even then, will your implementation be bulletproof? In this chapter, we’re going to look at a few common attacks against clients and discover practical ways to prevent them.
1 RFC 6749: https://tools.ietf.org/html/rfc6749
2 RFC 6819: https://tools.ietf.org/html/rfc6819