Programista 53

During the reading of RFC6749, one may have the impression that we are dealing with a document which is a description of the general instructions, the implementation of which allows to build the OAuth 2.0 support system. Such an observation is in accordance with the title of this document, in which the word “framework” appears. The OAuth 2.0 standard is therefore not a collection of strict and precisely defined rules. Leaving some freedom in the intrepreation of the RFC6749 instructions directly corresponds to a bigger amount of places in which the persons responsible for the implementation of the said standard may make mistakes. That is why the demand for an article arose - an article which will comprehensively explain what exactly this second version of the OAuth standard is and what its potential threats are. In order to satisfy the needs of the persons responsible for the implementation and testing of the OAuth 2.0 supporting solutions, I have decided to prepare an article which was published in the “Programista” 10/2016 journal.

Before proceeding to discussing the framework itself, the reader will go through a little revision on the knowledge of the meaning of the most important terms. We are speaking here, inter alia, about the presise explanation of the differences between “authentication” and “authorization”.

This article handles the following issues:

  • The rules of OAuth 2.0 operation,
  • What advantages we achieve applying this method of authorization,
  • What OAuth is not, that is matters related to the application of OAuth for authentication,
  • Methods which we can use for obtaining a token,
  • Which method of obtaining a token we should choose for a given usage scenario,
  • What security errors we can make using OAuth 2.0 - a list of vulnerabilities along with practical examples,
  • OAuth in the mobile app environment (inter alia PKCE and the threats stemming from the usage of WebView).

The culmination of the text is in the form of a long list of questions which should be asked during threat modeling of applications using OAuth 2.0.

Update Feb 13, 2017: this article was published on