<!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>OAuth Security &mdash; OAuth</title> <link href="/stylesheets/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" /> <link href="/stylesheets/style.css?2" rel="stylesheet" type="text/css" /> <link href="/stylesheets/print.css" rel="stylesheet" type="text/css" media="print" /> <link rel="webmention" href="https://webmention.io/oauth/webmention" /> </head> <body> <div id="ea"> <div class="ea-placement"><div class="ea-content"></div></div> </div> <script src="https://cdn.usefathom.com/script.js" site="KKZQTOOD" defer></script> <script> var trackOutboundClick = function(url, code) { if(window.fathom) { window.fathom.trackGoal(code, 0); } } </script> <nav class="navbar navbar-expand-md navbar-light bg-light"> <a class="navbar-brand" href="/"><img src="/images/oauth-logo-square.png" width="45" alt=""></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarsExampleDefault" aria-controls="navbarsExampleDefault" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarsExampleDefault"> <ul class="navbar-nav mr-auto"> <li class="nav-item"><a class="nav-link" href="/2/">OAuth 2.0</a></li> <li class="nav-item"><a class="nav-link" href="/specs/">Specs</a></li> <li class="nav-item"><a class="nav-link" href="/code/">Code</a></li> <li class="nav-item"><a class="nav-link" href="/articles/">Articles</a></li> <li class="nav-item"><a class="nav-link" href="/videos/">Videos</a></li> <li class="nav-item"><a class="nav-link" href="https://events.oauth.net/">Events</a></li> <li class="nav-item"><a class="nav-link" href="/books/">Books</a></li> <li class="nav-item"><a class="nav-link" href="/security/">Security</a></li> <li class="nav-item"><a class="nav-link" href="https://shop.oauth.net/">Merch</a></li> <li class="nav-item"><a class="nav-link" href="/about/credits/">About</a></li> </ul> </div> </nav> <div class="print-header"> <span class="item"><img src="/images/oauth-logo-square.png" width="45" alt=""></span> <span class="item">oauth.net/security/</span> </div> <div class="alert alert-success" role="alert" style="border-radius: 0;" id="site-banner"> <div style="max-width:800px; margin: 0 auto; padding: 0 15px;"> Featured: <span ><a href="https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth?utm_medium=display&utm_source=oauthnet&utm_campaign=oauth_ebook" onclick="fathom.trackGoal('IX7OVRZA', 0);" class="featured-banner">Master OAuth 2.0 from this guide with modern use cases and real-world examples</a></span> </div> </div> <div class="container"> <div> <h2>OAuth Security</h2> <ul> <li><a href="https://tools.ietf.org/html/rfc6819">OAuth 2.0 Threat Model and Security Considerations</a> (ietf.org)</li> <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics">OAuth 2.0 Security Best Current Practice</a> (ietf.org)</li> <li><a href="https://www.oauth.com/oauth2-servers/authorization/security-considerations/">Security Considerations when Building an Authorization Server</a> (oauth.com)</li> <li><a href="https://ldapwiki.com/wiki/Wiki.jsp?page=OAuth%202.0%20Security%20Considerations">OAuth 2.0 Security Considerations</a> (ldapwiki.com)</li> <li><a href="https://arxiv.org/pdf/1601.01229v3.pdf">A Comprehensive Formal Security Analysis of OAuth 2.0</a> (arxiv.org, PDF)</li> </ul> </div> <div> <h3>Security Workshops</h3> <p>The OAuth Security Workshop (OSW) aim is to improve the security of OAuth and related Internet protocols by a direct exchange of views between academic researchers, IETF OAuth Working Group members and industry.</p> <p><a href="/workshop/">See upcoming workshops</a></p> </div> <div> <h3>Security Advisories</h3> <p>The OAuth community is committed to identifying and addressing any security issues raised relating to the OAuth protocol and extensions. Any identified threat will be published on this page as soon as it is safe to do so. Due to the nature of many security threats, they cannot be disclosed before sufficient notice is given to vulnerable parties.</p> <p>The following are known security threats and the protocol version they affect:</p> <h4>OAuth 2.0</h4> <ul> <li><a href="/advisories/2014-1-covert-redirect/">2014.1 Covert Redirect </a></li> </ul> <h4>OAuth Core 1.0</h4> <ul> <li><a href="/advisories/2009-1/">2009.1 Session Fixation Attack</a></li> </ul> <h3>How to Report Security Threats</h3> <p>Please report any concerns with specific products to the vendor of that product using their own vulnerability reporting mechanisms.</p> <p>For security concerns related to the spec itself, please refer to the <a href="https://www.ietf.org/standards/rfcs/vulnerabilities/">IETF Guidance on Reporting Protocol Vulnerabilities</a>.</p> </div> </div> <footer> <div class="source"> Missing something? <a href="https://github.com/aaronpk/oauth.net/blob/main/public/security/index.php">Edit this page</a>. </div> <div class="container"> </div> </footer> <script src="/stylesheets/jquery-3.2.1.slim.min.js"></script> <script src="/stylesheets/bootstrap/js/bootstrap.min.js"></script> <script> function ea(response) { if(response.html) { $("#ea").html(response.html); } }; $(function(){ if(window.fathom && $(".featured-banner").data("view-code")) { window.fathom.trackGoal($(".featured-banner").data("view-code"), 0); } }); </script> <script async src="/thanks.php"></script> </body> </html>