Skip to main content

OAuth identity considerations

Learn best practices and policy guidelines for managing user sessions, token security, data privacy, and compliance within your NetFoundry Frontdoor environment.

Session management

Session duration is controlled by the Auth Provider configuration, requiring users to re-authenticate when sessions expire. Sessions are scoped to the specific Share, meaning that switching between Shares may require re-authentication depending on the configuration.

Identity verification and trust

Ensure OAuth providers require verified email addresses before allowing authentication while validating that user identities remain consistent across authentication sessions using stable identifiers such as user ID rather than just email addresses. Only configure trusted OAuth providers with strong security practices and up-to-date security certifications, preferring OAuth providers that enforce multi-factor authentication for enhanced security.

Token security best practices

Request only the minimum necessary OAuth scopes such as openid, email, and profile to follow the principle of least privilege while ensuring that Frontdoor securely manages OAuth tokens server-side without exposing raw tokens to client applications. Configure appropriate token lifetimes that balance security and user experience, typically ranging from 1-24 hours for access tokens, and use OAuth providers that support refresh token rotation to minimize long-term credential exposure.

Privacy and data protection

Only collect and process user identity information necessary for authentication and authorization decisions while ensuring OAuth consent flows clearly communicate what data is being accessed and how it will be used. Implement policies for how long authentication session data and user information is retained, and consider data residency requirements when using global OAuth providers to ensure compliance with applicable regulations.

Compliance and audit considerations

All authentication events, successes, and failures are logged for security monitoring and compliance while requiring regular reviews and audits of which users have access to OAuth-protected resources. Ensure OAuth provider configurations meet relevant compliance requirements such as SOC 2, GDPR, and HIPAA, and establish procedures for revoking access and rotating credentials in case of security incidents.

Risk mitigation strategies

Avoid single points of failure by supporting multiple OAuth providers when appropriate while considering backup authentication methods for critical applications. Monitor for unusual authentication patterns such as logins from new geographic locations or unusual access times, implement rate limiting on authentication attempts to prevent brute force attacks, and provide mechanisms to forcibly invalidate user sessions across all Shares when needed.