OAuth 2.0 powers billions of secure API requests daily, but implementation mistakes create dangerous security gaps. In July 2025, attackers exploited malicious OAuth applications to breach Allianz Life's Salesforce systems, exposing 1.1 million customer records. Authentication and authorization failures remain primary attack vectors across industries.
Understanding OAuth security flaws helps security teams protect APIs before attackers exploit vulnerabilities.
What Is OAuth 2.0
OAuth 2.0 is an authorization framework that grants applications limited access to user resources without exposing credentials. Instead of sharing passwords, users authorize third-party applications to access specific data on their behalf.
The framework separates authentication (verifying identity) from authorization (granting access). OAuth 2.0 handles authorization only. For authentication, applications should use OpenID Connect (OIDC), which extends OAuth with identity verification capabilities.
OAuth 2.0 involves four key roles:
- Resource Owner: The user who owns the data
- Client: The application requesting access
- Authorization Server: Issues access tokens after user consent
- Resource Server: Hosts protected resources and validates tokens
How Does OAuth 2.0 Work
The OAuth 2.0 authorization code flow keeps credentials secure while granting access through a specific sequence.
First, the client application redirects users to the authorization server with a request containing client ID, requested scopes, redirect URI, and a state parameter. The authorization server authenticates the user and displays a consent screen showing requested permissions.
After user approval, the authorization server redirects back to the client with an authorization code. The client exchanges the code for access tokens through a secure back-channel request, including client credentials for verification.
The authorization server validates the request and returns access tokens (and optionally refresh tokens). The client uses access tokens to request protected resources from resource servers, which validate tokens before granting access.
PKCE (Proof Key for Code Exchange) adds security by requiring a code_verifier that only the legitimate client possesses.
OAuth 2.0 Common Security Flaws and Prevention Techniques
Redirect URI Manipulation
Authorization servers must validate the redirect_uri parameter before sending users back to client applications. Attackers exploit loose pattern matching to intercept authorization codes.
Prevention:
- Use exact string matching for redirect URIs
- Never accept wildcards or pattern matching
- Configure allowlists at the client level
CSRF Attacks Through Missing State Parameters
The state parameter prevents Cross-Site Request Forgery attacks during OAuth flows. Attackers can forge authorization requests when applications skip state validation or use predictable values.
Prevention:
- Generate unique, unpredictable state values for each request
- Validate state matches when receiving callbacks
- Store state server-side and bind to user sessions
Authorization Code Interception
Mobile apps using custom URI schemes face authorization code interception risks. Malicious apps can register as handlers for custom schemes alongside legitimate applications.
PKCE solves the vulnerability by requiring a code_verifier that attackers cannot access, even if authorization codes are intercepted. OAuth 2.1 makes PKCE mandatory for all clients.
PKCE Downgrade Attacks
PKCE downgrade attacks happen when authorization servers support PKCE but don't enforce requirements. Attackers manipulate authorization requests to bypass PKCE protections.
Prevention:
- Require PKCE for all authorization requests
- Reject requests without a code_challenge parameter
- Migrate to OAuth 2.1, where PKCE is mandatory
Insecure Token Storage
Access tokens grant temporary access to user resources. Storing tokens in plain text creates unauthorized access risks.
Prevention:
- Encrypt OAuth access and refresh tokens
- Use HTTP-only and Secure cookies to prevent JavaScript access
- Never store tokens in browser localStorage or sessionStorage
Credential Leakage Through URLs
Authorization codes and access tokens can leak through browser history and Referer headers.
Prevention:
- Use POST requests instead of GET for token exchange
- Clear sensitive URL parameters after processing
- Configure servers to strip Referer headers on sensitive endpoints
Misusing OAuth for Authentication
OAuth 2.0 handles authorization, not authentication. Building custom authentication on OAuth alone creates business logic vulnerabilities.
Prevention:
- Use OpenID Connect for authentication
- Use OAuth for authorization only
- Implement ID tokens for identity verification
OAuth Attack Prevention Best Practices
- Adopt OAuth 2.1 Standards: OAuth 2.1 consolidates security best practices and makes PKCE mandatory. Migrating eliminates the most common OAuth vulnerabilities.
- Implement Sender-Constrained Tokens: Mutual TLS and DPoP (Demonstrating Proof of Possession) bind tokens to specific clients cryptographically, preventing token replay attacks.
- Use Well-Reviewed Libraries: Custom OAuth implementations consistently introduce security vulnerabilities. Use libraries that default to secure configurations.
- Continuous Security Testing: OAuth vulnerabilities require testing with every code change. APIsec automates OAuth flow testing, simulating attack scenarios including authentication bypasses and authorization flaws.
Conclusion
OAuth 2.0 security depends on the correct implementation of redirect URI validation, state parameters, PKCE, and token storage. APIsec tests OAuth authorization flows continuously, catching flaws before production.
Start your free account today.
FAQs
What is the most common OAuth security vulnerability?
Redirect URI manipulation remains the most common flaw. OAuth 2.1 requires exact string matching to prevent interception.
How does PKCE prevent OAuth attacks?
PKCE requires a code_verifier that only legitimate clients possess, preventing authorization code interception.
Should access tokens be stored in localStorage?
Never. Use HTTP-only Secure cookies or encrypted server-side storage to prevent XSS attacks.
What is the difference between OAuth and OIDC?
OAuth handles authorization (resource access). OIDC extends OAuth with authentication (identity verification).
How often should OAuth implementations be tested?
Continuously with every code change. Automated CI/CD testing catches OAuth flaws before production deployment.
.webp)
