OAuth 2.0 and OpenID Connect:Security Made Simple
Almost every "Sign in with Google" or "Connect your account" button uses OAuth 2.0 and OpenID Connect. They are powerful, but small mistakes in how the pieces fit together can hand an attacker a full account. This guide explains the ideas in simple terms and shows the settings that keep them safe. It maps to chapter V10 of the OWASP standard, which you can browse in the ASVS Explorer.
What Is the Difference Between OAuth and OpenID Connect?
People mix these two up all the time, so it helps to separate them clearly. OAuth is about access. OpenID Connect is about identity.
| OAuth 2.0 | OpenID Connect (OIDC) | |
|---|---|---|
| Main job | Give an app permission to use data | Tell an app who the user is |
| Answers the question | What is this app allowed to do? | Who just logged in? |
| Main token | Access token | ID token (plus access token) |
| Everyday example | Let an app read your calendar | Sign in with your Google account |
OpenID Connect is built on top of OAuth, so a login usually gives you both an ID token (who the user is) and an access token (what the app can do). The ID token is a signed JWT. If you use tokens directly, our guide on JWT vs session tokens explains how to handle them.
How Does the Safe OAuth Flow Work?
The recommended flow is called the authorization code flow with PKCE (said "pixy"). In plain steps it works like this:
- Your app sends the user to the login provider with a request that includes a random value called
stateand a one time secret called a PKCE code. - The user logs in at the provider, which your app never sees.
- The provider sends the user back to your exact redirect address with a short lived
code. - Your app checks that the returned
statematches what it sent, then swaps thecodeplus the PKCE secret for tokens on a back channel that the browser cannot see. - Your app validates the tokens and creates a session for the user.
PKCE matters because it ties the code to the app that started the flow. Even if an attacker steals the code, they cannot exchange it without the matching secret. This is why the older implicit flow, which returned tokens straight to the browser, is no longer recommended.
What Are the Most Common OAuth Mistakes?
- Loose redirect addresses. If you allow wildcards or do not match the redirect URL exactly, an attacker can send the code to their own site. Always register and compare the full redirect address.
- Skipping the state check. The
statevalue stops cross site request forgery on the login flow. If you do not check it, an attacker can trick a user into linking the attacker's account. - Using the implicit flow. Returning tokens directly in the browser URL leaks them into history and logs. Use the authorization code flow with PKCE instead.
- Trusting tokens without checking. Always validate the token signature, the issuer, the audience, and the expiry before you trust anything inside it.
- Asking for too much. Requesting broad permissions (scopes) you do not need increases the damage if the token leaks. Ask for the minimum, and let users see what they are approving.
How Do You Validate OAuth and OIDC Tokens?
A token is only useful if you trust it, and you only trust it after checking it. For an ID token from OpenID Connect, confirm four things on every login: the signature is valid and made by the provider, the iss (issuer) is the provider you expect, the aud (audience) is your app, and the token has not expired. For access tokens, follow the provider's guidance, which is often to send the token to the provider's introspection endpoint or to verify it as a signed JWT. Never store secrets or long lived tokens in the browser where a script could read them.
OAuth and OIDC Security Checklist
- 1Use the authorization code flow with PKCE for web and mobile apps.
- 2Register exact redirect addresses and compare them fully, with no wildcards.
- 3Generate and check the state value on every login to stop request forgery.
- 4Validate every token: signature, issuer, audience, and expiry.
- 5Request the smallest set of scopes your app needs.
- 6Keep client secrets on the server, never in browser or mobile app code.
- 7Give users a way to review and remove connected apps.
- 8Log login events and failures so you can spot abuse.