Documentation
Security Best Practices
Practical controls for production OAuth / OIDC clients.
Secrets
- Store
YOUR_CLIENT_SECRETonly in server-side secret managers. - Never commit secrets or paste them into tickets/chat.
- Rotate credentials with Radiant Networks if exposure is suspected.
PKCE and state
- Always use S256 PKCE — required for many clients.
- Validate
stateon every callback. - Use a
nonceand verify it in the ID token.
Redirect URIs
- Register exact URIs — no wildcards in application code assumptions.
- Prefer HTTPS everywhere; localhost HTTP only for local development.
- Avoid open redirects after login; whitelist internal return paths.
Cookies and sessions
- Session cookies:
HttpOnly,Secure,SameSite=Lax(or stricter). - Keep token material off the client for confidential apps.
- Bind sessions to your own user table keyed by OIDC
sub.
Tokens
- Verify JWTs with JWKS; check
iss,aud,exp. - Refresh access tokens shortly before expiry.
- Revoke tokens on logout.
Warning
Public clients must not ship a client secret. If you are building a mobile or SPA client, ask Radiant Networks for a public client configuration with PKCE.
Tip
Fetch discovery and JWKS over TLS and cache them briefly. Pinning endpoints from discovery reduces configuration drift.