OAuth and OIDC attacks

Short-lived tokens and refreshed token rotation ensures that even if a token is compromised, it cannot be used for an extended period. Refer to Access tokens and ID tokens for more information.

Strict audience (aud) and scope validation binds tokens to a specific session, device, or client. These restrictions ensure that tokens are used only for their intended purpose, and within their intended context. Refer to Sessions for more information.

Strict validation of redirect URIs prevents open redirect vulnerabilities that attackers might exploit to intercept OAuth and OIDC tokens. Refer to Redirect and non-redirect authentication flows for more information.

Wildcard-based redirect URIs are prohibited, ensuring that only preregistered and trusted URIs are used.

Strict rate limits on OAuth endpoints (such as, /token and /authorize) prevents brute-force attacks, excessive login attempts, and DOS attacks. Refer to PingOne Platform Limits for more information.

Single-use authorization codes prevent attackers from replaying intercepted codes.

HttpOnly and Secure cookies prevent JavaScript-based attacks from stealing OAuth tokens through XSS attacks. Refer to Token storage for more information.

All OAuth authentication, token exchanges, and access grants are logged for security auditing.

OIDC authentication requests include a nonce that’s validated and used to prevent ID token replay attacks.

Use PingOne Protect. PingOne Protect continuously monitors OAuth and OIDC authentication events for unusual login behaviors, such as rapid login attempts or geolocation inconsistencies. (PingOne Protect license required.)

Ensure that your PingOne environment is configured to issue signed and encrypted access and ID tokens. This practice protects token integrity and confidentiality, preventing tampering or unauthorized access to sensitive claims. Refer to Access tokens and ID tokens for more information.

Use PKCE with all OAuth 2.0 and OIDC Authorization Code Flows as a standard security measure. PKCE protects against authorization code interception by ensuring that only the original client that initiated the request can exchange the code for tokens. PKCE adds a critical layer of protection against attacks and misconfigurations, and helps safeguard tokens from being issued to unauthorized or malicious clients. Refer to PKCE parameters for more information.

Enable and enforce user consent prompts in PingOne for all third-party and high-risk applications requesting OAuth scopes. Prompts allow end users to clearly see what data and permissions are being requested and helps prevent unauthorized access or privilege escalation due to overbroad scope requests.

Implement and configure OIDC session logout (single logout) across all applications integrated with PingOne. Register logout URIs and support front channel or backchannel logout to ensure user sessions are fully terminated across all relying parties, reducing the risk of session hijacking or unintended access after logout. Refer to Sessions for more information.

Enable and configure FIDO2 or WebAuthn authentication in PingOne to reduce reliance on passwords and protect users from phishing attacks that target OAuth and OIDC credentials. FIDO2 and WebAuthn provide strong, phishing-resistant authentication methods that enhance both security and user experience. Refer to Multi-factor (MFA) action and FIDO policies for more information.

Ensure that the data is accurate and verified when mapping user attributes into tokens (such as email, phone, and roles), especially if relying systems use these attributes for access decisions or communication. For example, include email addresses in tokens only after they have been verified through a trusted process, such as PingOne’s email verification feature. Refer to Token customization and introspection for more information.

Configure PingOne to alert administrators when it detects OAuth anomalies, such as token misuse, repeated access attempts, or suspicious client behavior. Refer to Alerting for more information.

Allow administrators to revoke tokens if they detect suspicious activity, such as unauthorized token usage. Refer to Tokens for more information.

Ensure that applications using OAuth store client secrets securely and avoid exposing them in mobile apps or JavaScript. Regularly rotate client secrets and use client certificate authentication for added security. Refer to Authorization and authentication by application type for more information.

Monitor OAuth and OIDC application registrations and block phishing domains from attempting to impersonate legitimate apps.

Display clear warnings to users when OAuth applications request high-risk permissions, such as full account access.

Define and enforce OAuth scopes that grant only the minimum necessary permissions to applications.

Set up alerts for unusual OAuth and OIDC behavior, such as multiple failed login attempts, rapid token refreshes, or geolocation inconsistencies.

Maintain audit logs of all OAuth and OIDC activity, including token issuance, refresh requests, and failed authentications.

Protect against automated attacks by implementing non-interactive CAPTCHA for repeated OAuth or OIDC authentication failures.

Enforce certificate pinning to block attackers from using rogue certificates in man-in-the-middle (MitM) attacks.