Documentation

Security Best Practices

Practical controls for production OAuth / OIDC clients.

Secrets

  • Store YOUR_CLIENT_SECRET only in server-side secret managers.
  • Never commit secrets or paste them into tickets/chat.
  • Rotate credentials with Radiant Networks if exposure is suspected.

PKCE and state

  • Always use S256 PKCE — required for many clients.
  • Validate state on every callback.
  • Use a nonce and verify it in the ID token.

Redirect URIs

  • Register exact URIs — no wildcards in application code assumptions.
  • Prefer HTTPS everywhere; localhost HTTP only for local development.
  • Avoid open redirects after login; whitelist internal return paths.

Cookies and sessions

  • Session cookies: HttpOnly, Secure, SameSite=Lax (or stricter).
  • Keep token material off the client for confidential apps.
  • Bind sessions to your own user table keyed by OIDC sub.

Tokens

  • Verify JWTs with JWKS; check iss, aud, exp.
  • Refresh access tokens shortly before expiry.
  • Revoke tokens on logout.
Warning
Public clients must not ship a client secret. If you are building a mobile or SPA client, ask Radiant Networks for a public client configuration with PKCE.
Tip
Fetch discovery and JWKS over TLS and cache them briefly. Pinning endpoints from discovery reduces configuration drift.