Skip to main content

Security Best Practices

Adhering to these security best practices is paramount when integrating with any authentication service.

  • HTTPS Everywhere: All communication between your application and Visual Passcodes (Authorization requests, Token exchanges, JWKS fetching, API calls) must occur over HTTPS to protect sensitive data (authorization codes, tokens, client secrets) from eavesdropping and tampering.
  • Client Secret Protection (Confidential Clients): The client_secret is a highly sensitive credential. It must be stored securely on your server-side environment (e.g., environment variables, secret management service) and never exposed in client-side code, logs, or public repositories.
  • Redirect URI Validation: During client registration with Visual Passcodes, register all valid and precise redirect_uris your application will use. Visual Passcodes will only redirect to these registered URIs. This prevents attackers from hijacking the authorization_code by redirecting it to a malicious endpoint.
  • State Parameter: Always include a unique, unpredictable state parameter in your authorization requests. Validate this state parameter in the callback from Visual Passcodes. This is crucial for preventing Cross-Site Request Forgery (CSRF) attacks.
  • Nonce Parameter: For id_token validation (especially in public clients), always include a unique nonce parameter in your authorization request and validate it against the nonce claim in the received id_token. This protects against replay attacks.
  • Token Validation (Signature, Claims, Expiration):
    • Always validate the signature of id_tokens and access_tokens using Visual Passcodes' public keys from the JWKS Endpoint. This verifies the token's authenticity and ensures it hasn't been tampered with.
    • Always validate critical claims like iss (issuer), aud (audience, your client_id), and exp (expiration time) to ensure the token is legitimate, intended for your application, and still valid.
    • For id_tokens, also validate the nonce claim.
  • PKCE (Public Clients): For public clients (SPAs, mobile apps), PKCE is mandatory. Always implement it to prevent authorization code interception attacks.
  • Regular Updates: Keep all your libraries, frameworks, and dependencies (especially OIDC client libraries) updated to their latest versions to patch any known security vulnerabilities.
  • Input Validation & Error Handling: Implement robust input validation for all data received from Visual Passcodes and from the user. Implement comprehensive error handling to gracefully manage issues without exposing sensitive information to the user or logs.
  • Principle of Least Privilege: Request only the minimum necessary scopes that your application requires to function. Avoid requesting excessive permissions.
  • Regular Security Audits: Conduct regular security audits and penetration tests of your integrated application to identify and address potential vulnerabilities.