Cheat Sheet
New OAuth Security Recommendations

The OAuth Security BCP contains a number of new and updated recommendations on the usage of OAuth 2.0. I recommend reading the whole document to understand the threats and attacks that lead to these guidelines. As a quick reference, the following table shows an overview of the most important new recommendations:

New Recommendation Reason
AS MUST use exact matching of client redirect URIs against pre-registered URIs prevention of leakage of authorization codes and access tokens; detect mix-up
Clients SHOULD avoid open redirectors prevent open redirector attacks
Clients MUST use one-time use state nonce bound to user agent prevent CSRF
Clients MUST memorize combination of AS and user agent and ensure subsequent messages match this binding prevent mix-up attacks
Auth Code Grant: MUST use PKCE (all kinds of clients) detect and prevent auth code replay
Auth Code Grant: SHOULD use client authentication if possible detect and prevent auth code replay
Prevent leakage of code through referrer headers, request logs, and browser history prevent auth code replay
Implicit Grant: SHOULD NOT be used unless tokens can be sender-constrained prevent leakage and replay of access tokens
AS SHOULD use TLS-based methods for sender-constraining access tokens prevent token replay
access tokens SHOULD be associated with a minimum of privileges prevent misuse of privileges
access tokens SHOULD be restricted to certain RS prevent misuse of access tokens
AS MUST NOT use HTTP 307 redirect (if user credentials could be redirected) prevent leakage of credentials
AS MUST use sender-constrained refresh tokens or refresh token rotation detect and prevent refresh token replay

This list is based on version -12 of the draft and will be updated in the future.