This chapter covers
- Avoiding common implementation vulnerabilities in the authorization server
- Protecting against known attacks directed at the authorization server
In the last few chapters, we’ve looked at how OAuth clients and protected resources can be vulnerable to attackers. In this chapter, we’re going to focus on the authorization server with the same eye towards security. We’ll see that this is definitely more complicated to achieve because of the nature of the authorization server. Indeed, the authorization server is probably the most complex component in the OAuth ecosystem, as we saw while building one in chapter 5. We’ll outline in detail many of the threats you can encounter while implementing an authorization server and what you need to do in order to avoid security pitfalls and common mistakes.