Best Practice for Managing Tokens or How to Avoid Being the Next Victim After FaceBook

From IIW

Best Practices: Managing Access Tokens or How to Avoid Being the Next Victim after Facebook

Day/Session:Wednesday 3A

Convener:Bjorn Hjelm

Notes-taker(s): Bjorn Hjelm

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Background slides:


  • Discussed the background and possible incorrect understanding of OAuth 2.0 in the implementation by Facebook.
  • Agreement that there was a need for a common glossary for the terms in OAuth 2.0 to help developers. The interpretation of the terms or what the terms are referring to may also result in different interpretations (authorize v. entitlement, privileges as authority v. permission, etc.). One proposal was to ask IDPro ( to develop this glossary.
  • Part of the issue was also business process related (for example, for Access Tokens revocation).
  • Based on discussion of do’s and don’ts when implementing OAuth 2.0, there was a proposal for creating a best practices implementation guide that could possible reside on
  • The general guideline was to be very restrictive with the privileges associated with an Access Token (per draft-ietf-oauth-security-topics) and to manage Access Tokens through the Refresh Token (that is only intended for use with an Authorization Servers).