OAuth 2.0 and OIDC let users sign in with Google, Microsoft, or enterprise IdP. Use HTTPS and secure cookie settings. Validate tokens and refresh them; handle logout and token revocation.
OAuth 2.0 and OIDC
- OAuth 2.0: Authorization framework. Your app gets an access token (and optionally refresh token) from the IdP after the user authorizes. Use the token to call APIs on behalf of the user. Do not build your own OAuth server for consumer login—use a well-tested library and a known IdP (Google, Microsoft, Auth0, Okta, etc.).
- OIDC (OpenID Connect): Identity layer on top of OAuth 2.0. Adds ID token (JWT with user identity) and standard claims. Use OIDC when you need "who is this user?" (email, name, etc.) in addition to "can this app act for them?".
- Flows: Authorization Code (with PKCE for public clients) is the recommended flow for web and mobile. Avoid storing client secrets in frontends; use server-side or backend-for-frontend to hold secrets.
HTTPS and cookies
- HTTPS: All auth endpoints and redirects must use HTTPS. Tokens in redirects (e.g. authorization code) must not leak over HTTP. Enforce HSTS.
- Cookies: If you use session cookies after OAuth login, set Secure, HttpOnly, SameSite (Strict or Lax). Use a strong session ID; bind to IP or user-agent if you need extra hardening. Prefer short session lifetime and refresh via refresh token or re-auth.
Token handling
- Validate: Verify ID and access token signature (JWKS from IdP), audience, issuer, and expiry. Do not trust tokens without validation. Validate on every request or cache validation result briefly.
- Refresh: Use refresh tokens to get new access tokens without re-prompting the user. Store refresh tokens securely (e.g. encrypted server-side). Rotate refresh tokens if the IdP supports it.
- Logout: Implement single logout: clear your session and, if supported, call IdP logout endpoint so the user is logged out everywhere. Revoke or discard tokens when the user logs out.
Summary
OAuth 2.0 and OIDC let users sign in with Google, Microsoft, or enterprise IdP. Use HTTPS and secure cookies. Validate and refresh tokens; handle logout and token revocation.
