OAuth 2.0 Misconfigurations

OAuth 2.0 is a widely used authorization framework. Misconfigurations in client or server implementations create several critical attack vectors.

1. redirect_uri bypass:

If the authorization server accepts partial matches or wildcards for redirect_uri, an attacker can redirect the authorization code to their server:

https://auth.example.com/authorize
  ?client_id=app123
  &redirect_uri=https://attacker.com/callback  ← accepted if validation is weak

2. Missing state parameter (CSRF on OAuth):

Without the state parameter, an attacker can initiate an OAuth flow and trick the victim into completing it, linking the attacker's account to the victim's identity.

3. Token in referrer header:

GET /callback?code=AUTH_CODE&state=xyz HTTP/1.1
Referer: https://victim-site.com/page  ← auth code leaks if page has external resources

4. Authorization code interception: Without PKCE, authorization codes intercepted in transit can be exchanged for access tokens by an attacker.

Implement OAuth securely by enforcing strict redirect_uri validation, using PKCE, and always validating the state parameter.

Strict redirect_uri validation (server-side):

# Exact match only — no prefix or wildcard matching
ALLOWED_REDIRECT_URIS = [
    "https://myapp.com/oauth/callback",
]
if redirect_uri not in ALLOWED_REDIRECT_URIS:
    raise ValueError("Invalid redirect_uri")

PKCE (Proof Key for Code Exchange):

// Client generates code_verifier and code_challenge
const verifier = crypto.randomBytes(32).toString("base64url");
const challenge = crypto.createHash("sha256")
  .update(verifier).digest("base64url");

// Send challenge in authorization request
// Send verifier when exchanging code for token
// Server verifies: sha256(verifier) === challenge

State parameter validation:

// Before redirect
const state = crypto.randomBytes(16).toString("hex");
session.oauthState = state;

// In callback
if (req.query.state !== req.session.oauthState) {
  return res.status(400).send("State mismatch — possible CSRF");
}