Skip to content

Best Practices

  • Use widely used and well-known libraries instead of rolling-your-own implementations.
  • Avoid performing unnecessary network calls to identity providers
    • Cache public keys if possible, somewhere between 1 to 24 hours.
    • Cache tokens locally if possible.
  • For the OpenID Connect Authorization Code Flow, use PKCE.
    • Do not use the implicit grant - it is considered deprecated and less secure.
  • If using cookies, ensure that you set appropriate attributes:
    • HttpOnly - disallow access from client-side JavaScript
    • Secure - only allow transmission for HTTPS requests
    • SameSite - should be Lax eller Strict to combat cross-site request forgery.

It is also recommended that you familiarize yourself with the following specifications: