Best Practices  |  Authorization  |  Google for Developers (2024)

Table of Contents
Handle client credentials securely Handle user tokens securely Handle refresh token revocation and expiration Use incremental authorization Handle consent for multiple scopes Use secure browsers Manual creation and configuration of OAuth clients

This page covers some general best practices for integrating with OAuth 2.0. Consider these best practices in addition to any specific guidance for your type of application and development platform. Also refer to the advice for getting your app ready for production and Google's OAuth 2.0 policies.

Handle client credentials securely

The OAuth client credentials identify your app's identity and should be handled carefully. Only store these credentials in secure storage, for example using a secret manager such as Google Cloud Secret Manager. Do not hardcode the credentials, commit them to a code repository or publish them publicly.

Handle user tokens securely

User tokens include both refresh tokens and access tokens used by your application. Store tokens securely at rest and never transmit them in plain text. Use a secure storage system appropriate for your platform, such as Keystore on Android, Keychain Services on iOS and macOS, or Credential Locker on Windows.

Revoke tokens as soon as they are no longer needed and delete them permanently from your systems.

See Also
Secure OAuth 2.0: How To Keep OAuth Secure? - SecuringUsing/Storage tokens for multi-user app

In addition, also consider these best practices for your platform:

  • For server-side applications that store tokens for many users, encrypt them at rest and ensure that your data store is not publicly accessible to the Internet.
  • For native desktop apps, using the Proof Key for Code Exchange (PKCE) protocol is strongly recommended to obtain authorization codes that can be exchanged for access tokens.

Handle refresh token revocation and expiration

If your app has requested a refresh token for offline access, you must also handle their invalidation or expiration. Tokens could be invalidated for different reasons, for example it could have expired or your apps' access could have been revoked by the user or an automated process. In this case, consider carefully how your application should respond, including prompting the user at their next log in or cleaning up their data. To be notified of token revocation, integrate with the Cross-Account Protection service.

Use incremental authorization

Use incremental authorization to request appropriate OAuth scopes when the functionality is needed by your application.

You should not request access to data when the user first authenticates, unless it is essential for the core functionality of your app. Instead, request only the specific scopes that are needed for a task, following the principle to select the smallest, most limited scopes possible.

Always request scopes in context to help your users understand why your app is requesting access and how the data will be used.

For example, your application may follow this model:

  1. The user authenticates with your app
    1. No additional scopes are requested. The app provides basic functionality to let the user explore and use features that do not require any additional data or access.
  2. The user selects a feature that requires access to additional data
    1. Your application makes an authorization request for this specific OAuth scope required for this feature. If this feature requires multiple scopes, follow the best practices below.
    2. If the user denies the request, the app disables the feature and gives the user additional context to request access again.

Handle consent for multiple scopes

When requesting multiple scopes at once, users may not grant all OAuth scopes you have requested. Your app should handle the denial of scopes by disabling relevant functionality.

If your app's basic functionality requires multiple scopes, explain this to the user before prompting for consent.

You may only prompt the user again once they have clearly indicated an intent to use the specific feature that requires the scope. Your app should provide the user with relevant context and justification before requesting OAuth scopes.

You should minimize the number of scopes your app requests at once. Instead, utilize incremental authorization to request scopes in context of features and functionality.

Use secure browsers

On the web, OAuth 2.0 authorization requests must only be made from full-featured web browsers. On other platforms, make sure to select the correct OAuth client type and integrate OAuth as appropriate for your platform. Do not redirect the request through embedded browsing environments, including webviews on mobile platforms, such as WebView on Android or WKWebView on iOS. Instead, utilize native OAuth libraries or Google Sign-in for your platform.

Manual creation and configuration of OAuth clients

In order to prevent abuse, OAuth clients cannot be created or modified programmatically. You must use the Google Developers console to explicitly acknowledge the terms of service, configure your OAuth client and prepare for OAuth verification.

For automated workflows, consider using service accounts instead.

Best Practices  |  Authorization  |  Google for Developers (2024)
Top Articles
How to set clear boundaries for strong leadership - Jane Benston
Will Foundation Repairs Affect My Roof Condition? - Anchor Foundation Repair
Arrests reported by Yuba County Sheriff
craigslist: south coast jobs, apartments, for sale, services, community, and events
Pickswise the Free Sports Handicapping Service 2023
Shaniki Hernandez Cam
Azeroth Pilot Reloaded - Addons - World of Warcraft
Craigslist Dog Kennels For Sale
Craigslist Pets Southern Md
Wordle auf Deutsch - Wordle mit Deutschen Wörtern Spielen
What Happened To Maxwell Laughlin
Busty Bruce Lee
Tracking Your Shipments with Maher Terminal
Bend Pets Craigslist
Simplify: r^4+r^3-7r^2-r+6=0 Tiger Algebra Solver
Skyward Login Jennings County
Indystar Obits
Walmart Car Department Phone Number
Scout Shop Massapequa
Yog-Sothoth
Doki The Banker
Www.patientnotebook/Atic
Baldur's Gate 3: Should You Obey Vlaakith?
Boxer Puppies For Sale In Amish Country Ohio
Lexus Credit Card Login
Cowboy Pozisyon
Sams Gas Price Sanford Fl
Kuttymovies. Com
*!Good Night (2024) 𝙵ull𝙼ovie Downl𝚘ad Fr𝚎e 1080𝚙, 720𝚙, 480𝚙 H𝙳 HI𝙽DI Dub𝚋ed Fil𝙼yz𝚒lla Isaidub
Google Flights To Orlando
Stubhub Elton John Dodger Stadium
Ridge Culver Wegmans Pharmacy
Gabrielle Enright Weight Loss
Lake Dunson Robertson Funeral Home Lagrange Georgia Obituary
Sinai Sdn 2023
Ticket To Paradise Showtimes Near Regal Citrus Park
South Bend Tribune Online
Ferguson Showroom West Chester Pa
Busted Newspaper Mcpherson Kansas
UT Announces Physician Assistant Medicine Program
Timothy Warren Cobb Obituary
Gary Vandenheuvel Net Worth
Lyons Hr Prism Login
Learn4Good Job Posting
Marcel Boom X
Grace Family Church Land O Lakes
Oak Hill, Blue Owl Lead Record Finastra Private Credit Loan
The Hardest Quests in Old School RuneScape (Ranked) – FandomSpot
Les BABAS EXOTIQUES façon Amaury Guichon
Latest Posts
Understanding the Distinction between Appeal and Reconsideration in Medical Billing
Private Money Lenders: How To Find Them Fast | FortuneBuilders
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5726

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.