
OAuth Security Cheatsheet - homakov
http://www.oauthsecurity.com/
======
stormbrew
The place I work for deals with about 20 different site's oauth processes and
it's amazing how widely varied they are. Some of them let you restrict the
redirect_uri while others don't, some of them still need you to send a
login/password pair for the first request rather than do an oauth flow, but
then still use oauth-style tokens all over the place. A couple of them
_require_ that the token be passed as a query string parameter instead of as a
header for all requests. Being responsibly secure with all of them is quite
difficult. It doesn't help that it's very difficult to have a development
environment work properly with them, so doing active work against them is
often painful.

OAuth is basically a complete mess, implementation-wise, and that's really sad
since it's such a promising and useful premise.

~~~
fnom
i've heard great stuff about oauth.io . they try to provide an
abstractionlayer that handles the various different implementations (often
buggy or not to spec) of oauth.

~~~
indeyets
that might be true, but I don't like idea of having a MiTM. That's an
additional point of potential security issues

~~~
fnom
i think its fully open source[1] and you can host on your own

[1][https://github.com/oauth-io/oauthd](https://github.com/oauth-io/oauthd)

------
homakov
It's using free plan on heroku, so if it will be down repo is available at
[https://github.com/homakov/oauthsecurity](https://github.com/homakov/oauthsecurity)

~~~
aaronpk
@homakov I'd be happy to host this content on the oauth.net website if you'd
like.

~~~
homakov
I think just an external link will be great, because I don't want to remove
the sakurity logo :)

------
lstamour
Some good points. Other links of interest:
[http://tools.ietf.org/html/rfc6819](http://tools.ietf.org/html/rfc6819) and
OWASP cheat sheets, including ones on authentication in general:
[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series](https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series)
amongst other resources on Google ;-)

------
pm24601
Thanks for this list. I will be reviewing our site at whalepath.com to make
sure we are not vulnerable.

btw, linkedin has implemented a number of the counter measures listed in:

* static redirects

* checking that the redirect listed is the same for all calls.

* fast expiration of code.

------
indeyets
You missed the obvious: using OAuth2 without TLS =)

And paranoid part of my brain suggests that using OAuth1.0a is still preferred
even if over TLS

~~~
homakov
This is another kind of threat but yes, MITM is game over for oauth2

