Skip to main content

API Security (OAuth/OIDC) Review Checklist

A security review checklist for OAuth 2.0 and OIDC-protected APIs covering correct flows, full token validation, least-privilege scopes, PKCE, redirect-URI allowlists, and audit logging. It catches common auth misconfigurations.

Estimated Time
2-4 hours
Type
security audit
Category
Security
Steps
12

When to Use This Checklist

Use this checklist to review an API secured with OAuth 2.0 and OpenID Connect (OIDC). OAuth handles delegated authorization and OIDC adds authentication identity on top. These protocols are powerful but easy to misconfigure, and small mistakes such as a missing audience check can expose every protected resource. This review validates the implementation against known attack patterns.

How to Use This Checklist

Confirm the correct flow for each client type first, using authorization code with PKCE for public clients. Then verify the most security-critical control: full token validation of signature, issuer, audience, and expiry on every request. Enforce least-privilege scopes per endpoint, keep tokens short-lived, and ensure they never leak into logs or URLs. Validate redirect URIs against an exact allowlist to block interception attacks, and audit-log authorization decisions.

What Good Looks Like

A secure OAuth/OIDC API validates every token's signature, issuer, audience, and expiry, and rejects anything malformed. Public clients use authorization code flow with PKCE, and redirect URIs match an exact allowlist. Scopes are least-privilege and checked per endpoint. Tokens are short-lived, never logged or placed in URLs, and revocation works. All traffic uses TLS 1.2 or higher, and authorization decisions are audit-logged.

Common Pitfalls

The most dangerous pitfall is accepting tokens without checking the audience, letting a token for one service authorize another. Long-lived tokens that cannot be revoked widen the blast radius of a leak. Implicit flow and missing PKCE expose codes to interception. Tokens in URLs end up in logs and referrers. Finally, scopes that are too broad turn any compromise into full access.

Related Resources

Review OAuth 2.0 and OpenID Connect guidance, the OWASP API Security Top 10, OWASP ASVS, least-privilege principles, and zero-trust architecture.