Security Checklist

To securely integrate your applications with Oracle Identity Cloud Service using OAuth, you must implement security controls recommended by the standard.

The security controls may be considered mandatory or optional depending on your application confidentiality, integrity, and availability requirements.

A secure OAuth integration requires:
  • Security controls implemented across all OAuth participants, which includes the Authorization Server ( Identity Cloud Service), the Resource Owner (user), the Client, and the Resource Server applications

  • Confidentiality of key information: code, access_token, refresh_token, client credentials, and user credentials

  • Server authentication established between OAuth participants (to avoid impersonation attacks)

  • Proper information validation for any request (especially for JSON Web Token (JWT) access tokens)

  • Use of tokens with reduced scopes and time out (to reduce the exposure in case of disclosure and to support the token revocation)

  • Use of typical information security principles such as least privilege


For more information about OAuth security, access the following links:


Additionally, we recommend that you monitor security proactively so that you can quickly identify new security threats.


This page lists the most relevant security recommendations as a checklist, so that you can validate your application security and address the security items according to your expectations.


  • Use TLS in Client and Resource Server Applications

    The use of TLS with all applications provides confidentiality in communications between Identity Cloud Service, resource owners, client applications, and resource server applications. This prevents eavesdropping during transmission of the authorization code, access tokens, refresh tokens, client credentials, and user credentials, as well as preventing replay attacks.

  • Establish Server Authentication (HTTPS with Trusted CA Validation)

    Server authentication allows clients, resource servers, and resource owners to establish communication between themselves and with Identity Cloud Service after verifying the public certificate against the trusted CA.

    If the server fails to provide a trusted certificate (provided by a trusted CA and with a matching hostname), the communication is considered a man-in-the-middle attack.

    Server authentication prevents spoofing, proxying, man-in-the-middle, and phishing attacks to capture authorization codes, access tokens, client credentials, and user credentials.

  • Consider Using a Trusted Assertion with Identity Cloud Service

    Critical security clients can use a client assertion with key cryptography (instead of a client secret) for authentication.

  • Protect the Redirect URI with HTTPS and Trusted CA Validation

    HTTPS and using trusted CA validation prevents authorization "code" phishing and user session impersonation.


  • Configure Applications Following the Least Privilege Principle

    Applications should be configured in Identity Cloud Service with only the minimum rights needed for their operation.

    Narrowing down the scope, flows, grant types, and operations improves the security posture and reduces the impact of a compromised application.

  • Provide a Meaningful Name and Description for Applications

    The application information appears for users under the My Apps and the consent pages.

    The use of meaningful application names and descriptions may prevent users from making mistakes during consent authorization and also contributes to better audit reporting.

  • Provide a Meaningful Description for Scopes

    The scope description appears on the consent page. Explaining the scope, which the user is about to grant, in an understandable way prevents the user from making mistakes during authorization and contributes to better audit reporting.

  • Avoid Scopes Provided Without Consent

    To leverage transparency and rely on the resource owner, provide scopes without permission only when a scope is mandatory, and the user must not be able to deny it.

  • Reduce the Access Token Time Out and Use Refresh Tokens

    Identity Cloud Service supports JWT, an access token that can be validated in resource servers without checking the token in Identity Cloud Service. Because of this, access tokens with long duration can't be easily revoked.

    To implement timely revocation, you can configure the access token with a short lifetime, and then use the refresh token for requesting new access tokens. To perform a timely revocation, you need to revoke the refresh token.

  • Rotate the Application's Client Secrets

    For security critical implementations, implement a client secret rotation. This reduces the risk of getting a compromised client secret explored.

Resource Owner (User)

  • Keep the Resource Owner Informed

    Scope use with consent provides transparency to the resource owner and prevents applications from requesting scopes that are not required.

  • User Awareness

    It's recommended that you teach users how to protect their credentials and identify client, resource server application, and Identity Cloud Service legitimacy (especially when authentication and consent pages appear). This reduces the risk of phishing attacks and the compromise of user credentials.

Application Development

  • Protect Codes, Access Tokens, Refresh Tokens, and Client Credentials

    Applications must preserve the confidentiality of codes, access tokens, refresh tokens, and client credentials. When you develop the application, consider the following measures (among other application security measures):

    • Do not store codes (use the code only during runtime to obtain the access token)

    • Keep access tokens in transient memory and limit their grants

    • Store refresh tokens and client credentials in secure places that can be accessed only by the application

  • Protect the Redirect URL

    The redirect URL (from where Identity Cloud Service retrieves the authorization code) is considered a key component for OAuth security. Be careful when you define this URL to avoid threats such as cross site request forgery and denial of service.

  • Read Tokens from the Native Apps File System

    Attackers may try to get file system access on the device and read the refresh tokens using a malicious application. To reduce this risk, store secrets in secure storage and use device lock to prevent unauthorized device access.

  • Implement Controls for Cloned and Stolen Devices with Native Apps

    To reduce risks when a device with Native Apps gets cloned or stolen, use device lock to prevent unauthorized access and revoke refresh tokens.

  • Validate Application Security Prior to Publication

    Test the application and its hosting environment security before publishing the application to reduce vulnerabilities. Threats related to application hosting and development are not addressed by Identity Cloud Service. These threats include but are not limited to indirect access to application databases and storage, click-jacking, cross-site scripting, script/SQL injection, and information confidentiality flows on the application.

  • Apply Least Privilege During Scope Request

    Client applications should request tokens that contain only scopes that it will possibly or actually use.

    The use of the urn:opc:idm:__myscopes__ scope, although convenient, may retrieve more tokens than needed by the client application.

    A token with extensive scopes can increase the security impact when a token is compromised.

  • Validate JWT Tokens

    When receiving an access token (JWT) from any party (except the Identity Cloud Service server in a direct request from your application), validate the JWT following the JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants and the JWT RFCs.

    See Token Validation for more information on how to validate the token.


    Resource servers must process information only after the entire JWT validation is performed.
  • Receive JWT Tokens Properly

    Resource server applications must receive the access token using only the Authorization: bearer <token> header to avoid threats related to parameter caching.

  • Implement 2-Way TLS Between Client and Resource Server Applications

    For security critical applications, you can implement a 2-way TLS between client and resource server applications to reduce the risk of denial of service (DoS) and impersonation attacks.

    Do not write applications that collect authentication information directly from users.

  • Prevent Click-Jacking

    For newer browsers, avoid iFrames during authorization by enforcing the use of the X-FRAME-OPTIONS header.

    For older browsers, JavaScript frame-busting techniques can be used but may not be effective in all browsers.

  • Avoid the Use of Resource Owner Password Credentials

    The resource owner flow allows a client to request an access token using an end user's ID, password, and the client's own credentials. This grant type presents a higher risk because:
    • It's in charge of collecting the user credentials on the client application (maintains the UID/password anti-pattern).

    • Does not present a consent screen for scope requests.

    Except for migration reasons, avoid the use of this grant type.

  • Use the Cache-Control="no-store" Header

    This header minimizes the risk of not protecting authenticated content and leaking confidential data in HTTP proxies.

  • Avoid Requests with Sensitive Information Sent Using URL Parameters

    The URL parameters (used on GET requests) can be logged in any component between applications such as application logs, proxy servers, firewalls, and network edge components.

    Identity Cloud Service implements alternative search REST endpoints using POST that addresses this risk. See the Query Parameters page for more information.