By NHI Mgmt Group Editorial TeamPublished 2025-09-23Domain: Best PracticesSource: Curity

TL;DR: Client-side OAuth security still depends on brittle trust boundaries that teams often underestimate, according to Curity. Its client security archive brings together guidance on OAuth for browser, mobile, and SPA environments, including unsolicited SAML responses, XSS prevention, token handler design, same-site cookies, and the nonce authenticator pattern.


At a glance

What this is: This is a client security collection focused on hardening OAuth for browser and mobile apps, with emphasis on SAML response handling, PKCE, token handling, XSS prevention, and cookie behavior.

Why it matters: It matters because identity teams still have to secure OAuth flows where browser state, redirects, and tokens can be abused in ways that affect both human login journeys and broader IAM trust assumptions.

👉 Read Curity's client security guidance on OAuth, SAML responses, and browser trust


Context

Client-side OAuth security fails when teams treat the browser, the mobile device, or the redirect chain as trustworthy by default. The primary identity governance question is how to keep OAuth applications resilient when tokens, cookies, and assertions cross boundaries that attackers can influence.

This collection is useful because it connects several practical failure points into one pattern: unsolicited SAML responses, PKCE handling, XSS exposure, token storage, and cookie scoping all shape whether an OAuth client remains trustworthy after initial authentication.


Key questions

Q: How should security teams secure OAuth client flows in browser-based apps?

A: Security teams should minimise the amount of sensitive identity state the browser holds, bind every response to an initiated transaction, and treat XSS as an identity risk. The strongest designs move token custody to a backend component and use strict session correlation so the browser cannot inject or replay authentication artifacts.

Q: Why do unsolicited SAML responses create risk for OAuth applications?

A: They create risk because the application may accept an identity assertion without the request context that proves it was expected. That weakens binding between user, session, and relying party, which increases replay and confusion risk. The control question is whether the app can prove the response belongs to a known transaction.

Q: What do teams get wrong about token handler design for SPAs?

A: Teams often treat the token handler as a convenience layer rather than the security boundary. If the browser still stores, sees, or meaningfully controls tokens, the design has not removed the key exposure. The handler must own exchange and custody, while the front end remains limited to interaction and rendering.

Q: How do same-site cookies help OAuth security, and where do they fall short?

A: Same-site cookies reduce some cross-site session abuse by limiting when browsers send authentication state. They do not solve XSS, unsafe redirects, or weak application logic that trusts client state too broadly. Teams should use cookie scope as one control in a broader session integrity design, not as a standalone fix.


Technical breakdown

Unsolicited SAML responses and OAuth client binding

An unsolicited SAML response is an identity assertion delivered without the client first initiating the transaction. That creates a binding problem for OAuth applications because the application must still prove that the response belongs to the right session, user, and relying party. PKCE helps with code interception, but it does not by itself solve assertion confusion or response injection. The architecture challenge is to bind browser-originated authentication artifacts to a specific transaction and reject anything that arrives out of sequence or outside the expected request context.

Practical implication: enforce strict request-response correlation so identity assertions cannot be replayed, injected, or accepted without a matching initiated flow.

Token handler design for browser-based apps

The token handler pattern keeps sensitive OAuth tokens away from the browser by moving token processing to a backend component. The browser interacts with the handler, while the handler exchanges, stores, or forwards tokens under tighter server-side control. This reduces direct exposure to script-based theft, local storage leakage, and session confusion in single-page applications. The design only works if the handler becomes the security boundary, with clear control over token lifetime, audience, and propagation to downstream APIs.

Practical implication: place token custody on the server side wherever possible and verify that the handler, not the browser, owns token handling decisions.

XSS, cookies, and OAuth session integrity

Cross-site scripting breaks OAuth client security because attacker-controlled script can read, redirect, or manipulate browser state and session flows. Same-site cookie settings reduce some cross-site abuse, but they do not eliminate the risk if application logic still trusts client-side state too broadly. In browser-based apps, the question is not just whether the user authenticated, but whether the application can still trust the integrity of the session after the page loads. Secure cookie design, token placement, and response validation must work together.

Practical implication: treat XSS prevention and cookie scoping as identity controls, not only web-app hygiene, because they directly protect OAuth session trust.


NHI Mgmt Group analysis

OAuth client security is really a trust-boundary problem, not a protocol problem. The article’s mix of SAML, PKCE, cookies, and browser security shows that compromise often happens at the seams between identity layers rather than in the core authorization grant itself. That means practitioners need to evaluate where trust is established, where it is carried forward, and where it can be broken by a client-side attacker. The practical conclusion is that OAuth program design must treat every browser boundary as potentially hostile.

Token handler patterns are a structural response to browser exposure, not just an implementation preference. Once access tokens live in front-end code, the security model inherits XSS, storage leakage, and session manipulation risk. Moving token custody into a backend handler aligns better with zero standing privilege thinking for client sessions because the browser no longer directly holds the most sensitive credential material. The practical conclusion is that token placement should be decided as an identity architecture choice, not as a convenience trade-off.

Unsolicited assertions expose a classic replay and confusion failure mode. IdP-initiated or unsolicited SAML responses can land outside the transaction context the application expected, which makes identity binding weaker unless request correlation is strict. This is not a new authentication problem, but a control-assurance problem where the app must prove the assertion belongs to the right session. The practical conclusion is that response acceptance rules need to be explicit enough to reject anything not anchored to a known transaction.

Browser security and identity governance are now the same control surface. XSS prevention, cookie scope, redirect validation, and session binding are all identity protections when OAuth is the front door. Organisations that still separate web security from identity security create blind spots around the very controls that preserve token integrity and session trust. The practical conclusion is that IAM and application security teams should co-own the browser trust model.

Client security maturity depends on understanding where the browser stops being a safe execution environment. The more an application stores or processes sensitive identity artifacts in the front end, the more it inherits assumptions the browser cannot guarantee. That is why patterns such as nonce handling, server-side token mediation, and same-site cookie discipline belong in the same governance conversation. The practical conclusion is to measure client trust assumptions explicitly instead of assuming modern browser behavior makes them safe.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • For deeper breach context, see The 52 NHI breaches Report for the recurring patterns that appear when identity trust breaks down.

What this signals

Client-side OAuth security is becoming a governance issue, not only an application issue. As browsers, SPAs, and mobile clients carry more of the authentication burden, IAM teams need to define which trust decisions belong in the client and which must remain server-side. The organisations that formalise those boundaries will be better placed to handle token leakage, SSO edge cases, and redirect abuse.

Visibility into delegated access remains the weak point. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the next control maturity jump is not another login feature, but better lifecycle control over who can connect, what they can see, and when that access is revoked.

The practical signal for programme owners is that OAuth hardening now overlaps with third-party access governance, browser risk management, and identity incident response. Teams that keep those disciplines separate will keep discovering the same failure modes in different guises.


For practitioners

  • Bind every OAuth response to a known transaction Reject unsolicited or out-of-context SAML responses unless they match a previously initiated flow, the expected audience, and the correct session state. Use strict correlation checks so the application can prove the response belongs to the user interaction that started it.
  • Move sensitive token handling out of the browser Use a backend token handler where the architecture allows it, especially for SPAs and browser-based apps that otherwise expose tokens to script and storage abuse. Make the server component the custody point for exchange, storage, and downstream propagation.
  • Treat XSS prevention as identity control Prioritise script injection testing, content security controls, and safe handling of session state because browser compromise can directly undermine OAuth trust. Coordinate application security and IAM reviews so token integrity is assessed with the same rigor as authentication.
  • Harden cookie scope and session boundaries Apply same-site cookie settings, minimise token exposure in client storage, and review redirect behavior so sessions are not silently extended across unwanted contexts. Validate that browser state cannot be reused outside the intended authentication path.

Key takeaways

  • OAuth client security fails most often at the trust boundaries between browser state, token handling, and assertion acceptance.
  • Visibility gaps around delegated OAuth access remain widespread, which makes lifecycle control and session integrity central governance concerns.
  • Practitioners should treat browser-based identity controls as shared IAM and application-security responsibilities, not as isolated implementation details.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Token handling and client exposure are core NHI security concerns in browser-based flows.
NIST CSF 2.0PR.AC-4Access management must account for browser session trust and delegated OAuth access.
NIST Zero Trust (SP 800-207)PR.AC-1Zero trust requires continuous validation of client and session context in OAuth flows.

Keep sensitive tokens off the client where possible and reduce exposure windows for browser-based identity artifacts.


Key terms

  • Unsolicited SAML Response: A SAML assertion delivered to an application without the application first starting the authentication transaction. This can create confusion about session ownership and response legitimacy unless the app tightly binds the response to a known request and user context.
  • Token Handler Pattern: An architecture that moves sensitive OAuth token processing away from the browser and into a backend component. It reduces exposure to script access, local storage leakage, and client-side manipulation by making the server the primary custody point for token exchange and use.
  • Session Integrity: The assurance that a browser session still belongs to the intended user and cannot be silently altered or replayed by an attacker. In OAuth flows, session integrity depends on response validation, cookie scope, redirect control, and protection against client-side script abuse.

What's in the full article

Curity's full article covers the operational detail this post intentionally leaves for the source:

  • Implementation guidance for handling unsolicited SAML responses in OAuth application flows
  • Practical PKCE considerations for reducing interception and replay risk in browser-based clients
  • Design specifics for the token handler pattern across SPAs and API-driven backends
  • Cookie and nonce behavior details that support safer browser session handling

👉 Curity's full client security collection covers token handling, PKCE, XSS prevention, and cookie design details.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org