Achieving OAuth 2.0 Security Best Current Practice with Verify Access

The OAuth 2.0 Security Best Current Practice specification highlights the key security recommendation for OAuth 2.0. OAuth implementations are being becoming more vulnerable to attack due to implementation weakness and anti-patterns. Also, OAuth is being used in higher security environments. This document provides recommendations for OAuth implemenatation on Verify Access.

Protecting Redirect-Based Flows

• RedirectURI's are recommended to always use HTTPS scheme.
• RedirectURI's are recommended to not use wildcard characters, exact match is recommended. To support backward compatibility Verify Access supports wildcard characters in RedirectURI confguration.
• Dynamic Client Registration, additional PreToken mapping rule check is added to validate RedirectURI's and can be enabled by setting "custom_enable_redirecturis_validations" to true.
• When a new client is created Require PKCE flag is enabled, since the specification recommends it for Public and Private clients. For Dynamic Client Registration, PreToken mapping rule samples are added to enforce PKCE, and can be enabled by setting "custom_enable_default_pkce " to true.
• Implicit grant flows which issue access tokens are not recommended.
• OAuth clients can interact with multiple authorization servers, to avoid mix up attacks, iss value is always returned in the authorization response.

Token Replay Prevention

• Sender constrained access tokens and refresh tokens are recommended and can be generated using Mutual TLS as the client authentication mechanism.

Client Authentication

• It is recommended to use asymmetric methods for client authentication such as mTLS or using signed JWT (private_key_jwt).

Resource Owner Password Credential Grant

• It is not recommended to use Resource Owner Password Credential Grant (ROPC) grant, since it exposes credentials of the resource owner to the client.