Security Best Practices

OAuth 2.0 authentication and authorization for the Oten Platform.

Transport Security

HTTPS Requirements

  • Production: Must use https:// for all redirect URIs

  • Development: Can use http://localhost only

  • Use TLS 1.2 or higher

CSRF Protection

State Parameter

The state parameter prevents CSRF attacks.

Implementation:

  1. Generate random state value

  2. Store in session

  3. Include in authorization URL

  4. Validate on callback

Requirements:

  • Minimum 128 bits entropy

  • Cryptographically random

  • Single-use

  • Time-limited (5-10 minutes)

PKCE

When Required

PKCE is mandatory for:

  • Single Page Applications (SPAs)

  • Mobile applications

  • Any public client

How it Works

  1. Generate code verifier (43-128 random characters)

  2. Create code challenge (SHA-256 hash of verifier)

  3. Send challenge with authorization request

  4. Send verifier with token exchange

Token Security

Storage

Platform
Recommended
❌ Avoid

Web App

Server-side session

Browser localStorage

SPA

Memory only

localStorage/sessionStorage

iOS

Keychain

UserDefaults

Android

EncryptedSharedPreferences

SharedPreferences

Best Practices

  • Use short-lived access tokens (15-60 min)

  • Implement refresh token rotation

  • Always use HTTPS

  • Include tokens in Authorization header

  • Never log tokens

Client Secret Management

Never:

  • Commit to version control

  • Embed in client-side code

  • Log in application logs

  • Share via email/chat

  • Store in plain text

Secure Storage

Environment
Solution

Development

Environment variables (.env)

Production

Secret management (Vault, AWS Secrets Manager)

Rotation Policy

  • Regular: Every 90 days

  • Incident: Immediately upon compromise

  • Automated: Use secret rotation tools

Monitoring

Security Events to Monitor

  • Failed authentication attempts

  • Unusual token usage patterns

  • Scope escalation attempts

  • Geographic anomalies

  • Rapid token refresh

Incident Response

  1. Detect and assess

  2. Revoke compromised credentials

  3. Investigate logs

  4. Rotate secrets

  5. Notify affected users

  6. Document incident

Compliance

Data Protection

  • Implement data minimization

  • Provide clear privacy policies

  • Enable user consent management

  • Support data deletion requests

  • Maintain audit logs

Regulations

  • GDPR (EU) - Data protection

  • CCPA (California) - Consumer privacy

  • HIPAA (Healthcare) - Health information

  • PCI DSS (Payment) - Card data security

Resources

External Guidelines

Tools

Previous4. Config Resource & Security infoNext5. Set up Pricing info

Last updated