SMART authorization and resource retrieval
First, a word about app protection...
The app is responsible for protecting itself from potential misbehaving or malicious values passed to its redirect URL (e.g., values injected with executable code, such as SQL) and for protecting authorization codes, access tokens, and refresh tokens from unauthorized access and use. The app developer must be aware of potential threats, such as malicious apps running on the same platform, counterfeit authorization servers, and counterfeit resource servers, and implement countermeasures to help protect both the app itself and any sensitive information it may hold. For background, see the OAuth 2.0 Threat Model and Security Considerations.
Apps MUST assure that sensitive information (authentication secrets, authorization codes, tokens) is transmitted ONLY to authenticated servers, over TLS-secured channels.
Apps MUST generate an unpredictable
stateparameter for each user session. An app MUST validate thestatevalue for any request sent to its redirect URL; includestatewith all authorization requests; and validate thestatevalue included in access tokens it receives.An app should NEVER treat any inputs it receives as executable code.
An app MUST NOT forward values passed back to its redirect URL to any other arbitrary or user-provided URL (a practice known as an “open redirector”).
An app should NEVER store bearer tokens in cookies that are transmitted in the clear.
Apps should persist tokens and other sensitive data in app-specific storage locations only, not in system-wide-discoverable locations.