Security Best Practices

OAuth 2.0 authentication and authorization for the Oten ecosytem.

Transport Security

HTTPS Requirements

  • Production: Must use https:// for all redirect URIs

  • Development: Can use http://localhost only

  • Use TLS 1.2 or higher

CSRF Protection

State Parameter

The state parameter prevents CSRF attacks.

Implementation:

  1. Generate random state value

  2. Store in session

  3. Include in authorization URL

  4. Validate on callback

Requirements:

  • Minimum 128 bits entropy

  • Cryptographically random

  • Single-use

  • Time-limited (5-10 minutes)

PKCE

When required

PKCE is mandatory for:

  • Single Page Applications (SPAs)

  • Mobile applications

  • Any public client

How it works

  1. Generate code verifier (43-128 random characters)

  2. Create code challenge (SHA-256 hash of verifier)

  3. Send challenge with authorization request

  4. Send verifier with token exchange

Token security

Storage

Platform
Recommended
❌ Avoid

Web App

Server-side session

Browser localStorage

SPA

Memory only

localStorage/sessionStorage

iOS

Keychain

UserDefaults

Android

EncryptedSharedPreferences

SharedPreferences

Best practices

  • Use short-lived access tokens (15-60 min)

  • Implement refresh token rotation

  • Always use HTTPS

  • Include tokens in Authorization header

  • Never log tokens

Client secret management

Never:

  • Commit to version control

  • Embed in client-side code

  • Log in application logs

  • Share via email/chat

  • Store in plain text

Secure storage

Environment
Solution

Development

Environment variables (.env)

Production

Secret management (Vault, AWS secrets manager)

Rotation policy

  • Regular: Every 90 days

  • Incident: Immediately upon compromise

  • Automated: Use secret rotation tools

Monitoring

Security events to monitor

  • Failed authentication attempts

  • Unusual token usage patterns

  • Scope escalation attempts

  • Geographic anomalies

  • Rapid token refresh

Incident response

  1. Detect and assess

  2. Revoke compromised credentials

  3. Investigate logs

  4. Rotate secrets

  5. Notify affected users

  6. Document incident

Compliance

Data protection

  • Implement data minimization

  • Provide clear privacy policies

  • Enable user consent management

  • Support data deletion requests

  • Maintain audit logs

Regulations

  • GDPR (EU) - Data protection

  • CCPA (California) - Consumer privacy

  • HIPAA (Healthcare) - Health information

  • PCI DSS (Payment) - Card data security

Resources

External guidelines

Tools

Previous4. Config resource & security infoNext5. Set up Pricing info

Last updated