Some security experts think OAuth2 is not a secure mechanism for use in browsers, JavaScript applications, web servers, or web applications. However, you can use OAuth2 to reduce security vulnerabilities if you follow best practices. The basic best practices are:

  • Securing authorization and resource Server implementations using code reviewed, and scanned, implementations
  • Ensuring that every HTTP message travels through TLS network connections
  • Ensuring that cryptography keys are securely stored and shared between authorization and resource servers
  • Fully validating an access token (according to its specifications) before it is used to access data