OAuth
Definition
OAuth is an open standard for access delegation commonly used to grant websites or applications limited access to a user’s information without exposing passwords. It allows users to authorize third-party applications to access their information on other services without sharing their credentials, typically using tokens. OAuth is widely used for enabling secure authorization in web, mobile, and desktop applications.
Secure Settings Example
# OAuth 2.0 configuration for a secure application
oauth2:
client_id: "your-client-id"
client_secret: "your-client-secret"
redirect_uris:
- "https://yourapp.com/callback"
scopes:
- "read"
- "write"
token_endpoint_auth_method: "client_secret_post"
use_pkce: true
token_expiry: 3600 # Token expires in 1 hour
Insecure Settings Example
# Insecure OAuth 2.0 configuration
oauth2:
client_id: "your-client-id"
client_secret: "your-client-secret"
redirect_uris:
- "http://yourapp.com/callback" # Insecure: Using HTTP instead of HTTPS
scopes:
- "read"
- "write"
token_endpoint_auth_method: "none" # Insecure: No authentication method
use_pkce: false # Insecure: PKCE not used
token_expiry: 86400 # Insecure: Token expiry too long (24 hours)