- response_type is a constant set for particular app on server (1)
- redirect_uri, too (1)
- "state" parameter is echoed by server and checked by client (1)
- hash of "state" parameters is stored in LocalStorage and destroyed on receiving redirect (1)
- "client_id" parameter is checked (after obtaining token, make a request to server to get "token_id" for this token and compare to existing one) (2, 3)
- IP is saved for particular token on grant and checked on access
- token expires in a reasonable time
- TOTP is required
- minimum password length and hardness (dictionary?) are checked
- strong hash (PBKDF2/bcrypt/scrypt)
- long random per-user salt
- hash and salt aren't leaked on /users (or similar) endpoint
- session cookie is restricted to login and OAuth2-auth endpoints
- https is provided
- redirect to https by default
-
Strict-Transport-Securityheader - cookies have
Secureattribute - cookies have
HttpOnlyattribute - A rating on https://www.ssllabs.com/ssltest/
- provide public key pin with
Public-Key-Pinsheader - https://wiki.mozilla.org/Security/Server_Side_TLS
-
X-Content-Type-Options: nosniff -
X-Frame-Options -
X-XSS-Protection -
X-Content-Security-Policy
- http://homakov.blogspot.ru/2013/03/oauth1-oauth2-oauth.html
- http://homakov.blogspot.ru/2012/08/oauth2-one-accesstoken-to-rule-them-all.html
- http://technotes.iangreenleaf.com/posts/closing-a-nasty-security-hole-in-oauth.html
- https://github.com/angular-oauth/angular-oauth (example of implicit flow implementation)