← Back to glossary

OAuth 2.0

Networking PHP 7.0+ Intermediate

debt(d7/e5/b5/t7)

d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints indicate semgrep can catch specific patterns (missing state parameter, exposed client_secret in JS), but the tool notes automated=no, meaning a human must craft and maintain the rules. Many OAuth2 misconfigurations — like accepting tokens from wrong audiences or not restricting redirect_uri — require manual code review or integration testing to surface; they won't appear as obvious compiler or default linter errors.

e5 Effort Remediation debt — work required to fix once spotted

Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix says to use an established library (league/oauth2-client) and implement state, PKCE, and secret handling correctly. Migrating from a bespoke or flawed OAuth2 implementation to a library-based one typically touches the auth callback controller, session handling, configuration/environment files, and possibly frontend code — more than a one-liner but contained to the auth component rather than being fully cross-cutting.

b5 Burden Structural debt — long-term weight of choosing wrong

Closest to 'persistent productivity tax' (b5). OAuth2 flows apply to web and API contexts (applies_to includes both), and auth decisions shape session management, API gateway configuration, and how third-party integrations are structured. However, the burden is not quite architectural (b7/b9) because a well-chosen library can encapsulate most of the complexity, leaving the rest of the codebase relatively unaffected beyond the auth layer.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The canonical misconception is that OAuth 2.0 is an authentication protocol when it is actually an authorisation framework — a fundamental confusion that leads developers to skip OpenID Connect entirely and derive identity from access tokens insecurely. Combined with the common_mistakes (missing state, open redirect_uri, Implicit flow), these are well-documented but frequently repeated traps that cause account takeover vulnerabilities, scoring close to t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

Also Known As

OAuth2 OAuth

TL;DR

An authorisation framework that allows applications to obtain limited access to user accounts on third-party services without exposing passwords.

Explanation

OAuth 2.0 defines several grant types for different use cases. The Authorization Code flow (with PKCE for public clients) is the most secure: the user authenticates with the identity provider, receives a short-lived code, and the client exchanges it for tokens. The Implicit flow is deprecated. Client Credentials is used for machine-to-machine. OAuth 2.0 handles authorisation only; OpenID Connect adds identity (authentication) on top.

Diagram

sequenceDiagram
    participant U as User
    participant C as Client App
    participant A as Auth Server
    participant R as Resource Server
    U->>C: Click Login with Google
    C->>A: Redirect + client_id + state + scope
    A->>U: Show login and consent screen
    U->>A: Approve
    A->>C: Redirect with code + state
    C->>A: POST code + client_secret
    A->>C: access_token + id_token
    C->>R: GET /userinfo Bearer token
    R->>C: User profile data

Common Misconception

✗ OAuth 2.0 is an authentication protocol — it is an authorisation framework; use OpenID Connect on top for authentication.

Why It Matters

OAuth flaws (missing state validation, open redirect_uri) enable account takeover without ever needing the user's password.

Common Mistakes

Not validating the state parameter — enables CSRF against the OAuth callback.
Not restricting redirect_uri — any URI can receive the authorisation code.
Using Implicit flow — the access token is exposed in the browser URL and history.
Not validating the id_token audience (aud) claim when using OIDC — tokens issued to other clients are accepted.

Code Examples

✗ Vulnerable

// Missing state validation — CSRF on OAuth callback:
$code = $_GET['code'];
// state parameter not checked — attacker can forge the callback
$tokens = exchangeCode($code);
loginUser($tokens);

✓ Fixed

// State validation prevents CSRF:
$state = $_GET['state'] ?? '';
if (!hash_equals($_SESSION['oauth_state'], $state)) {
    throw new SecurityException('Invalid state — possible CSRF');
}
unset($_SESSION['oauth_state']);
$tokens = exchangeCode($_GET['code']);

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Amazonbot 10 Scrapy 10 Perplexity 5 Ahrefs 4 Google 3 SEMrush 3 Bing 2 ChatGPT 2 Majestic 1 Claude 1 Qwen 1 Meta AI 1 PetalBot 1

Also referenced

JWT Vulnerabilities 84 Two-Factor Authentication (2FA) 51 OAuth 2.0 Vulnerabilities 41 OpenID Connect (OIDC) 39

How they use it

crawler 41 crawler_json 3

Related categories

security 7.9k networking 1k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: High

⚡ Quick Fix

Use an established OAuth2 library (league/oauth2-client) — implement state parameter to prevent CSRF, use PKCE for public clients, and never put client_secret in frontend code

📦 Applies To

PHP 7.0+ web api

🔗 Prerequisites

OpenID Connect (OIDC) JWT Deep Dive PHP Session

🔍 Detection Hints

OAuth2 implementation without state parameter verification or client_secret exposed in JavaScript

Auto-detectable: ✗ No semgrep

⚠ Related Problems

Account Takeover (ATO) Cross-Site Request Forgery (CSRF)

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update

CWE-287 CWE-601