OAuth is a commonly used authorization framework that enables websites and web applications to request limited access to a user’s account on another application. OAuth allows the user to grant this access without exposing their login credentials to the requesting application. This means users can fine-tune which data they want to share rather than having to hand over full control of their account to a third party.
- OAuth 2.0 authentication vulnerabilities (PortSwigger)
- One Scheme to Rule Them All: OAuth Account Takeover (Ostorlab)
- An Illustrated Guide to OAuth and OpenID Connect (Okta)
💡 See the OWASP Testing Guide on WSTG-ATHZ-05.
💡 See lab WebSecurityAcademy (PortSwigger) – OAuth authentication.
Tokens
OAuth 2.0 uses Access Tokens and Refresh Tokens.
- What Are Refresh Tokens and How to Use Them Securely (Auth0 by Okta)
- Refresh Tokens (Oauth)
- OAuth 2.0 Security Best Current Practice (IETF)
Access token
The authorization server issues an access token when the user logs in. It is used by client applications to make secure calls to an API server on behalf of a user. The access token lets the client signal to the server that it has received authorization by the user to perform certain tasks or access certain resources. OAuth 2.0 does not define a format for access tokens but are often in JWT format and contain standard JWT claims asserted about the token itself.
Access tokens are valid for a short amount of time. The OWASP recommends 5 to 15 minutes. See Testing Token Lifetime (OWASP)
Refresh token
Once the access token expires, client applications can use a refresh token to get a new access token without having to ask the user to log in again as long as the refresh token is valid and unexpired. Consequently, a refresh token that has a very long lifespan could theoretically give infinite power to the token bearer to get a new access token to access protected resources anytime.
According to OWASP:
The refresh token should be valid for a longer duration. It should be a one-time token that gets replaced each time it has been used.
Testing Token Lifetime
❗ There is not much guidance on refresh token expiration.
ID token
OpenID Connect (OIDC) is an identity protocol that performs user authentication, user consent, and token issuance. OIDC uses ID Tokens. This is not defined by OAuth.
An ID token is used by client applications (like Single-Page Applications (SPAs) and mobile apps) to consume the identity of a user. It contains information like the name, email, and profile picture of a user. As such, client applications can use the ID token to build a user profile to personalize the user experience. An authentication server that conforms to the OpenID Connect (OIDC) protocol to implement the authentication process issues its clients an ID token whenever a user logs in.
Testing OAuth Authorization Server
Testing OAuth Client
To test…
Missing CSRF protection *
Testing for improper usage Of implicit grant type *
Testing for flawed redirect_uri validation *Testing
CSRF protection
The state parameter is recommended and should contain a value that CANNOT be guessed (hash, value based on user session). If not present, it potentially means that an attacker can initiate an OAuth flow themselves before tricking a user’s browser into completing it, similar to a traditional CSRF attack. See Flawed CSRF protection (PortSwigger).