You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: SECURITY.md
+73Lines changed: 73 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,3 +13,76 @@ End-of-life for the current release will be determined prior to the release of i
13
13
## Reporting a Vulnerability
14
14
15
15
You should report vulnerabilities using the [Github UI](https://github.com/panva/oauth4webapi/security/advisories/new) or via email [email protected]
16
+
17
+
## Threat Model
18
+
19
+
This section documents the threat model for `oauth4webapi`, a low-level OAuth 2 / OpenID Connect client API for JavaScript runtimes.
20
+
21
+
### Purpose and Intended Users
22
+
23
+
This library is intended for developers building OAuth 2.0 and OpenID Connect client applications in JavaScript runtimes (Node.js, browsers, Cloudflare Workers, Deno, Bun, and other Web-interoperable environments). It provides low-level building blocks for implementing secure OAuth/OIDC flows.
24
+
25
+
### Trust Assumptions
26
+
27
+
#### Underlying Cryptographic Primitives
28
+
29
+
This library trusts that the Web Cryptography implementations provided by the runtime are correct and secure. The library delegates all cryptographic operations (signing, verification, encryption, decryption, etc.) to the runtime's Web Cryptography implementation and does not attempt to validate or verify the correctness of these underlying primitives.
30
+
31
+
#### Runtime Environment
32
+
33
+
The library assumes it is running in a trusted execution environment. The following are considered outside the scope of this library's threat model:
34
+
35
+
-**Prototype pollution attacks**: If an attacker can modify JavaScript prototypes, this is considered a vulnerability in the user's application code or the runtime environment, not in this library.
36
+
-**Debugger access**: If an attacker has debugger access to the running process, they can inspect memory, modify variables, and bypass security controls. This is a runtime-level compromise, not a library vulnerability.
37
+
-**Runtime compromise**: Attacks that compromise the JavaScript runtime itself (e.g., malicious runtime modifications, compromised Node.js binaries, malicious browser extensions with elevated privileges) are not considered attacks on this library.
38
+
39
+
#### Authorization Server Trust
40
+
41
+
This library assumes that the Authorization Server metadata endpoints and JWKS endpoints configured by users are legitimate and trusted. Users are responsible for ensuring they connect to trusted Authorization Servers over secure channels (HTTPS). User inputs to discovery functions are considered trusted.
42
+
43
+
#### Side-Channel Attacks
44
+
45
+
This library delegates all cryptographic operations to the underlying Web Cryptography. Any resistance to side-channel attacks (timing attacks, cache attacks, etc.) is entirely dependent on the underlying cryptographic implementations and is outside the scope of this library.
46
+
47
+
### Security Guarantees
48
+
49
+
This library aims to provide the following security guarantees:
50
+
51
+
-**Specification compliance**: Correct implementation of OAuth 2.0, OAuth 2.1, OpenID Connect, and related specifications (including FAPI 1.0/2.0), validated through OpenID Foundation conformance testing.
52
+
-**Protocol security mechanisms**: Correct implementation of security mechanisms when used, including:
-**Input validation**: Validation of inputs to prevent misuse of the API.
60
+
61
+
### Out of Scope
62
+
63
+
#### Key Management
64
+
65
+
This library does not handle key storage. Users are responsible for securely storing, managing, and distributing cryptographic keys.
66
+
67
+
#### Memory Clearing
68
+
69
+
This library does not guarantee that key material or other sensitive data is cleared from memory after use. As long as the user retains references to key objects, the key material may remain in memory. Secure memory management is the responsibility of the user and the runtime environment.
70
+
71
+
### Threat Actors and Security Properties
72
+
73
+
This library aims to provide the security properties defined by the OAuth 2.0 Security Best Current Practice and OpenID Connect specifications. For detailed security considerations, refer to [RFC 6819 (OAuth 2.0 Threat Model)](https://www.rfc-editor.org/rfc/rfc6819), [OAuth 2.0 Security Best Current Practice](https://www.rfc-editor.org/rfc/rfc9700.html), and [OpenID Connect Core 1.0 Security Considerations](https://openid.net/specs/openid-connect-core-1_0.html#Security).
74
+
75
+
### What is NOT Considered a Vulnerability
76
+
77
+
The following are explicitly **not** considered vulnerabilities in this library:
78
+
79
+
-**Prototype pollution** ([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)): Attacks that exploit JavaScript prototype pollution are considered vulnerabilities in user application code or the runtime, not this library.
80
+
-**Object injection** ([CWE-915](https://cwe.mitre.org/data/definitions/915.html)): Similar to prototype pollution, object injection attacks are outside the scope of this library.
81
+
-**Debugger/inspector access** ([CWE-489](https://cwe.mitre.org/data/definitions/489.html)): If an attacker can attach a debugger to the process, they have already compromised the runtime environment.
82
+
-**Memory inspection**: Reading process memory, heap dumps, or core dumps to extract key material is a runtime-level attack.
83
+
-**Side-channel attacks** ([CWE-208](https://cwe.mitre.org/data/definitions/208.html)): Timing attacks, cache attacks, and other side-channel vulnerabilities in the underlying Web Cryptography implementations are not vulnerabilities in this library.
84
+
-**Compromised runtime environment**: Malicious or backdoored JavaScript runtimes, compromised system libraries, or tampered Web Cryptography implementations.
85
+
-**Supply chain attacks on the runtime** ([CWE-1357](https://cwe.mitre.org/data/definitions/1357.html)): Compromised Node.js binaries, malicious browser builds, or similar supply chain attacks on the execution environment.
86
+
-**Denial of service via resource exhaustion** ([CWE-400](https://cwe.mitre.org/data/definitions/400.html)): While the library validates inputs, it does not implement resource limits. Applications should implement their own rate limiting and resource management.
87
+
-**Misconfiguration**: Security issues arising from not using available security features (e.g., not using PKCE, using insecure redirect URIs) are the user's responsibility.
88
+
-**Untrusted Authorization Servers**: Security issues arising from connecting to untrusted or malicious Authorization Servers are the user's responsibility.
0 commit comments