OAuth2 Best Practices

Read OAuth 2.0 Security Best Current Practice.

The most important items to consider are:

  • If you customize your IAM landing page, be very careful to ensure that it does not leak access tokens.

  • Aim for long-lived refresh tokens and short-lived access tokens. It is also a good idea to make the IAM invalidate the old refresh token and create a new one when the refresh endpoint is requested.

  • Even though CUE Editor receives access tokens as URI fragments during logins, XSS exploits cannot use them to create a new token since the client id and client passwords needed to request new access and refresh tokens are only stored on the CUE User Manager server.

    However, an XSS exploit can use the access token to access the IAM system on behalf of the logged in user. It's therefore recommended to tighten the IAM Firewall.

Copyright © 2019-2022 Stibo DX A/S