This document outlines the threat model for the oauth2 Ruby gem, which implements OAuth 2.0, 2.1, and OIDC Core protocols. The gem is used to facilitate secure authorization and authentication in Ruby applications.
- OAuth access tokens, refresh tokens, and ID tokens
- User credentials (if handled)
- Client secrets and application credentials
- Sensitive user data accessed via OAuth
- Private keys and certificates (for signing/verifying tokens)
- External attackers (internet-based)
- Malicious OAuth clients or resource servers
- Insiders (developers, maintainers)
- Compromised dependencies
- OAuth endpoints (authorization, token, revocation, introspection)
- HTTP request/response handling
- Token storage and management
- Configuration files and environment variables
- Dependency supply chain
- Threat: Tokens exposed via logs, URLs, or insecure storage
- Mitigations:
- Avoid logging sensitive tokens
- Use secure storage mechanisms
- Never expose tokens in URLs
- Threat: Attackers reuse or forge tokens
- Mitigations:
- Validate token signatures and claims
- Use short-lived tokens and refresh tokens
- Implement token revocation
- Threat: Data intercepted via MITM attacks
- Mitigations:
- Enforce HTTPS for all communications
- Validate SSL/TLS certificates
- Threat: Client secrets leaked in code or version control
- Mitigations:
- Store secrets in environment variables or secure vaults
- Never commit secrets to source control
- Threat: Vulnerabilities in third-party libraries
- Mitigations:
- Regularly update dependencies
- Use tools like
bundler-auditfor vulnerability scanning
- Threat: Injection attacks via untrusted input
- Mitigations:
- Validate and sanitize all inputs
- Use parameterized queries and safe APIs
- Threat: Applications may pass untrusted or insufficiently validated absolute URLs into request paths that can carry OAuth credentials or authenticated state.
- Risk: This can expand trust boundaries, contributing to token leakage, authenticated requests to unintended hosts, or SSRF-like pivoting in the surrounding application.
- Mitigations:
- Prefer relative paths where practical
- Do not pass untrusted absolute URLs into token-bearing clients
- Validate or allowlist outbound request targets at the application layer
- Treat request-target validation as a separate concern from log redaction and token storage
- Threat: Attacks go undetected
- Mitigations:
- Log security-relevant events (without sensitive data)
- Monitor for suspicious activity
- The gem is used in a secure environment with up-to-date Ruby and dependencies
- End-users are responsible for secure configuration and deployment
- Security of external OAuth providers
- Application-level business logic
This outline should be reviewed and updated regularly as the project evolves.