/
OAuth 2.0 Protection Standard

OAuth 2.0 Protection Standard

Owned by Satwinder Singh
Dec 07, 2017

All Columbia University APIs shall be protected by OAuth 2.0 or a similar mechanism to meet the following goals:

  • Client app identification. Client apps shall be registered to facilitate:

    • usage metrics

    • identification of and protection from misbehaving apps

    • identification of app owner

    • service levels (SLAs) to distinguish “more important” apps from those that are “less important”.

  • Grant types:

    • For client-server app trust relationships a minimum of Client Credentials grant shall be used.

    • For client acting on behalf of a resource owner Authorization Code grant shall be used.

    • Other grant types (Implicit, etc.) to be approved only on a case-by-case basis.

  • Scope enforcement to be determined as appropriate. See CU-STD-INTR-001: OAuth 2.0 Scope Standards: API Coarse-grained Authorization for more.

  • OAuth 2.0 client implementation:

    • Always use the state parameter

    • Make sure the nonce parameter is pseudo-random

    • Use a fully-specified redirect_uri

    • Always use TLS (HTTPS)

    • Use the Authorization header rather than the access_token query parameter.

Related content

More About Using OAuth 2.0
More About Using OAuth 2.0
Alan Sphinx Service Account
More like this
RESTful API - Best Practices v1
RESTful API - Best Practices v1
CUIT Enterprise Architecture
More like this
Using the Django REST Framework and DRF-JSONAPI
Using the Django REST Framework and DRF-JSONAPI
Alan Sphinx Service Account
More like this
Enterprise Integration
Enterprise Integration
CUIT Enterprise Architecture
More like this
Academic Services
Academic Services
Academic Services
More like this