Keep the authorization redirect, state validation, code exchange, and session creation on the server. The browser should only receive a signed session cookie, not tokens or client secrets. That preserves the trust boundary and reduces the chance of token leakage through client-side code, storage, or debugging tools.
Why This Matters for Security Teams
social login looks simple at the UI layer, but the security boundary is in the OAuth flow, not the button. If client applications ever see client secrets, refresh tokens, or long-lived access tokens, leakage paths multiply through browser storage, JavaScript bundles, debugging tools, and third-party scripts. That is why current guidance on OWASP Non-Human Identity Top 10 and NIST SP 800-63 Digital Identity Guidelines both reinforce server-side trust boundaries and strong session handling.
The risk is not limited to account takeover. OAuth misconfiguration can expose downstream APIs, admin consoles, and connected SaaS tenants when the same token is reused too broadly. NHIMG research on the Salesloft OAuth token breach shows how one compromised integration can become a broad data-access event. In practice, many security teams discover token exposure only after a browser-side implementation has already shipped into production.
How It Works in Practice
The safest implementation keeps the browser on the outside of the credential exchange. The user starts on the application, is redirected to the identity provider, and returns with an authorization code. The server, not the browser, performs the code exchange, validates the issuer and redirect URI, creates the local session, and issues only a signed session cookie to the client. That means the browser never needs the OAuth client secret and never handles bearer tokens directly.
For teams implementing this pattern, the operational controls are straightforward:
- Use the authorization code flow with PKCE where appropriate, especially for public clients.
- Store the OAuth client secret only in server-side configuration or a managed secrets service.
- Validate state, nonce, issuer, audience, and redirect URI on every login response.
- Keep access token use behind the server boundary when possible, so downstream API calls do not expose tokens to the browser.
- Set session cookies as HttpOnly, Secure, and SameSite where application design allows.
This is also where secrets hygiene matters. NHIMG’s Guide to the Secret Sprawl Challenge highlights how quickly credentials spread once they leave a controlled boundary, and the same lesson applies to OAuth client secrets. The real implementation goal is not just “hide the secret,” but ensure the secret is never available to the browser in the first place. These controls tend to break down when frontend teams are allowed to call identity provider token endpoints directly because the secret then becomes embedded in code, build artifacts, or runtime logs.
Common Variations and Edge Cases
Tighter OAuth handling often increases integration overhead, requiring organisations to balance developer convenience against token exposure risk. That tradeoff is real in single-page apps, mobile apps, and partner-facing portals, where there is no universal standard for every deployment pattern yet.
For browser-heavy applications, current guidance suggests treating the frontend as an untrusted presentation layer and shifting sensitive OAuth operations to a backend-for-frontend or dedicated auth gateway. For native mobile apps, the client secret should not be embedded at all, because the app package can be reversed and inspected. For multi-tenant SaaS, one compromised redirect or mis-scoped callback can expose multiple customers, which is why review of redirect URI governance belongs in release engineering, not only in IAM.
Teams should also watch for cases where identity tokens are confused with application sessions. A signed session cookie is not a substitute for proper token scope design, but it is the safer browser-facing artifact when the service has already completed authentication. The practical test is simple: if a developer can inspect the browser and recover anything that can be reused outside the session, the implementation still leaks trust. NHIMG’s analysis of the 52 NHI Breaches Analysis shows that once credentials escape the intended boundary, attackers rarely need a second chance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Client secret exposure is a core non-human identity secret-handling failure. |
| NIST SP 800-63 | 1.1 | Digital identity guidance supports secure session establishment after authentication. |
| NIST CSF 2.0 | PR.AC-1 | Access control should prevent clients from handling secrets directly. |
Validate identity assertions server-side and issue only a hardened session cookie to the browser.
Related resources from NHI Mgmt Group
- How should security teams implement social login in an iOS app without failing App Review?
- How should security teams implement Client ID Metadata Documents?
- How should security teams control bots that crawl public content without exposing login forms?
- How should security teams handle credential migration without exposing secrets?