Episode 20 · Module 5 · Authentication & Identity

OAuth 2.0 and OpenID Connect

18 May 2026 · 10:32 · Security for Legal SaaS

10:32 10:32

Every law firm already has an identity provider. Alice and Dan cover why legal SaaS should delegate authentication rather than managing passwords, the difference between OAuth 2.0 (authorization) and OpenID Connect (authentication), the Authorization Code + PKCE flow, why the Implicit flow is deprecated, the Backend-for-Frontend pattern for SPAs, scope minimisation, Client Credentials for service-to-service communication, multi-tenant IdP routing, court system and e-filing integrations, and the five most common OAuth implementation mistakes.

Today’s Lesson

Security for Legal SaaS — Episode 20: OAuth 2.0 and OpenID Connect

Delegated Authentication — Why Build Your Own When You Can’t?

Every law firm already has an identity provider (IdP) — the system that manages user accounts and authenticates logins. Active Directory, Google Workspace, Okta, Azure AD. When your legal SaaS platform asks lawyers to create yet another username and password, you’re not just adding friction — you’re creating a credential that will be reused, forgotten, or compromised. OAuth 2.0 (RFC 6749) solves authorization delegation. OpenID Connect (OIDC) layers authentication on top. Together, they let users authenticate with their existing identity provider while your application receives only the claims it needs.

Key distinction: OAuth 2.0 is an authorization framework — it answers “what is this application allowed to do?” OIDC is an authentication layer — it answers “who is this user?” Using OAuth 2.0 alone for authentication is a well-documented anti-pattern. Always use OIDC when you need to verify user identity.

For legal SaaS, OIDC integration means: single sign-on (SSO — logging in once and gaining access to multiple systems) with the firm’s existing IdP, centralized access revocation when a lawyer leaves the firm, and no platform-specific passwords to manage, leak, or stuff.

OAuth 2.0 Flows — Choosing the Right One

Authorization Code + PKCE (Recommended)

The Authorization Code flow with PKCE (Proof Key for Code Exchange, RFC 7636) is the recommended flow for all client types — web apps, SPAs, mobile apps, and native applications.

Flow:

Client generates a random code_verifier (43–128 characters) and computes code_challenge = SHA256(code_verifier)
Client redirects user to authorization server with code_challenge
User authenticates at the authorization server
Authorization server redirects back with an authorization code
Client exchanges code + code_verifier for tokens at the token endpoint
Authorization server verifies SHA256(code_verifier) == code_challenge before issuing tokens

Why PKCE? Without it, an attacker who intercepts the authorization code (via a compromised redirect URI, browser history, or referrer header) can exchange it for tokens. PKCE binds the code to the original client — only the party that generated the code_verifier can complete the exchange.

OAuth 2.1 (draft) mandates PKCE for all authorization code grants. It’s no longer optional.

Client Credentials (Service-to-Service)

For backend services communicating without user context — batch processing, scheduled jobs, inter-service API calls. No user interaction. The service authenticates directly with its own credentials. RFC 6749 Section 4.4 defines this flow. For legal SaaS, this is how your document processing service authenticates to your API — with narrowly scoped permissions and rotated credentials.

Implicit Flow — Deprecated

Do not use. The Implicit flow returns tokens directly in the URL fragment. This exposes tokens to browser history, referrer headers, and any JavaScript on the page. OAuth 2.1 formally removes it. If your legal SaaS still uses Implicit flow, migrate to Authorization Code + PKCE immediately.

OpenID Connect as the Authentication Layer

OAuth 2.0 alone does not tell you who the user is — it tells you what they’re authorized to access. OIDC adds an id_token — a JWT containing identity claims:

Claim	Purpose	Example
`sub`	Subject identifier (unique, stable)	`auth0\|507f1f77bcf86cd799439011`
`email`	User’s email	`partner@bakermckenzie.com`
`email_verified`	Whether email is confirmed	`true`
`name`	Display name	`Sarah Chen`
`iss`	Token issuer	`https://accounts.google.com`
`aud`	Intended audience (your client_id)	`your-legal-saas-client-id`
`exp`	Expiration	`1716003600`
`nonce`	Replay protection	`n-0S6_WzA2Mj`

Critical validation steps (per OIDC Core spec Section 3.1.3.7): verify the signature using the IdP’s published keys (JWKS endpoint), verify iss matches the expected issuer, verify aud contains your client_id, verify exp is in the future, and verify nonce matches what you sent in the authorization request. Skipping any of these checks opens specific attack vectors — issuer confusion, token injection, replay attacks.

Token Storage in SPAs

Single-page applications (SPAs) — where the entire app runs in the user’s browser — cannot keep secrets. There is no client_secret. This makes token storage critical.

Strategy	Security	UX
Backend-for-Frontend (BFF) pattern	Tokens stay server-side; SPA gets httpOnly session cookie	Best — seamless
In-memory (JavaScript variable)	Lost on refresh; no XSS exfiltration risk	Requires silent re-auth on refresh
httpOnly cookie via token endpoint	Needs same-origin token endpoint	Good — cookie-based
~~localStorage~~	XSS = full token theft	Never use
~~sessionStorage~~	XSS = full token theft (slightly better — tab-scoped)	Never use

The current best practice for SPAs is the Backend-for-Frontend (BFF) pattern: your SPA communicates with a thin backend that holds the tokens server-side and proxies API calls. The SPA itself never touches OAuth tokens — it uses a standard httpOnly session cookie to communicate with its BFF.

Architecture recommendation: For legal SaaS handling privileged documents, always use the BFF pattern. The cost is one lightweight backend service. The benefit is that tokens — which grant access to privileged legal content — never exist in browser-accessible storage.

Scope Minimisation

Request only the permissions your application actually needs. The principle of least privilege applied to OAuth scopes:

Bad Practice	Good Practice
`scope=openid profile email read write admin`	`scope=openid email` (for authentication)
Request all scopes at login	Request additional scopes incrementally when needed
Single token for all operations	Different tokens for different sensitivity levels

For legal SaaS integrating with external systems: court filing systems should request read-only access to case status, not write access to filings. Client IdPs should request only openid, email, and necessary profile claims. Document storage should scope to specific folders/labels, not entire mailbox or drive.

Google’s OAuth scope documentation illustrates granular scoping — each API has narrow, specific scopes rather than blanket access.

Legal SaaS Integrations

Court Systems and E-Filing

Many jurisdictions are deploying electronic filing systems that support OAuth/OIDC for third-party access:

Integration	Authentication Pattern	Considerations
Court e-filing APIs	OAuth 2.0 client credentials or authorization code	Strict scope limits; audit requirements
Bar association portals	OIDC SSO (lawyer authenticates via bar IdP)	Verify bar membership status claims
Client identity providers	OIDC federation (firm’s Azure AD/Okta)	Multi-tenant IdP routing
Legal research databases	API key or OAuth client credentials	Rate limiting; usage tracking

Singapore’s eLitigation system provides API access for authorised legal technology providers. Integration requires strict adherence to the Judiciary’s authentication specifications and scope limitations.

Multi-Tenant IdP Routing

When your legal SaaS serves multiple law firms, each with their own identity provider, you need tenant-aware IdP routing:

User enters email at login (partner@bakermckenzie.com)
Your system looks up the domain → tenant mapping
Redirects to the correct IdP (Baker McKenzie’s Azure AD instance)
Receives the OIDC response and validates against that IdP’s configuration
Maps the identity to your internal user record

Auth0’s “Organizations” feature and Okta’s multi-tenancy patterns document this architecture. The critical security requirement: never allow IdP confusion — validate that the issuer claim in the id_token matches the expected IdP for that tenant.

Security Checklist

Control	Requirement
Flow selection	Authorization Code + PKCE for all user-facing flows
State parameter	Cryptographic random value; verify on callback (CSRF protection)
Redirect URI validation	Exact match only — no wildcards, no open redirectors
Token storage	BFF pattern for SPAs; server-side for web apps
Scope	Minimum required; request incrementally
OIDC validation	Verify iss, aud, exp, nonce, and signature on every id_token
Token lifetime	Access: 5–15 min; Refresh: 7 days with rotation
Client secrets	Rotated quarterly; stored in secrets manager, never in code
PKCE	SHA256 code challenge; 43+ character verifier
Logout	Implement both RP-Initiated Logout and Back-Channel Logout

OAuth 2.0 Security Best Current Practice (RFC 9700) consolidates all known OAuth security considerations into one document — essential reading for implementers.

Common Mistakes

1. Open redirect on callback URL — If your redirect_uri accepts arbitrary paths, an attacker can steal authorization codes by redirecting to their server. OWASP documents this as “Unvalidated Redirects”.

2. Missing state parameter — The state parameter is a random value your app sends at the start of the OAuth flow and verifies when the response returns, proving the two are linked. Without it, CSRF attacks can force a victim to authenticate as the attacker (login CSRF) or link the attacker’s account to the victim’s session.

3. Accepting tokens from any issuer — If you don’t validate iss, an attacker running their own IdP can issue tokens that your application accepts.

4. Using access tokens for authentication — Access tokens are for API authorization, not identity verification. This creates a “confused deputy” problem — your service trusts a token that an attacker obtained for a different purpose, effectively tricking the service into acting on a forged identity. Always use the id_token for authentication.

5. Storing client_secret in frontend code — SPAs cannot hold secrets. Use PKCE instead of client_secret for public clients. OAuth 2.0 for Browser-Based Apps is explicit on this point.

Conclusion

OAuth 2.0 and OpenID Connect are not optional features for legal SaaS — they’re the mechanism that eliminates platform-specific credentials, enables centralized access control, and integrates with the identity infrastructure law firms already operate. Use Authorization Code + PKCE for all user-facing flows. Use OIDC for authentication, never raw OAuth. Implement the BFF pattern for SPAs. Validate every claim. Minimise scopes. And route each tenant to their correct IdP with strict issuer validation.

The goal is simple: a lawyer authenticates once with their firm’s identity provider, and your platform trusts that assertion — verified cryptographically, scoped minimally, and revocable centrally when they leave the firm.

Next episode: Multi-Factor Authentication — adding a second factor so that a compromised password alone isn’t game over.

Alice: Welcome back to Security for Legal SaaS. I’m Alice.

Dan: And I’m Dan. Episode 20 — OAuth 2.0 and OpenID Connect. Alice, we just spent two episodes on sessions and JWTs. Now we’re talking about delegated authentication. Why should a legal SaaS platform care about OAuth?

Alice: Because every law firm already has an identity provider — an IdP, the system that manages user accounts and logins. Active Directory, Azure AD, Google Workspace, Okta. When you ask lawyers to create a separate username and password for your platform, three things happen. They reuse a password from somewhere else. They forget it regularly and trigger recovery flows. And when they leave the firm, nobody remembers to deactivate their account on your platform. OAuth and OIDC solve all three problems by delegating authentication to the firm’s existing identity infrastructure.

Dan: Let’s get the terminology straight. OAuth versus OIDC — what’s the difference?

Alice: OAuth 2.0 is an authorization framework. It answers “what is this application allowed to do on behalf of the user?” It was designed for delegated access — letting a third-party app access your Google Drive files without giving it your Google password. OpenID Connect — OIDC — is an authentication layer built on top of OAuth 2.0. It answers “who is this user?” It adds an ID token — a JWT containing identity claims like name, email, and a stable user identifier.

Dan: So if I just use OAuth 2.0 for login, that’s wrong?

Alice: It’s a documented anti-pattern. OAuth alone gives you an access token — which proves the user authorized your app to access a resource. But it doesn’t reliably tell you who the user is. The access token might have been issued to a different application. It might not contain identity claims. Using it for authentication leads to confused deputy problems — where an attacker tricks your service into misusing its authority on their behalf — and token injection attacks. Always use OIDC when you need to verify identity. The ID token is specifically designed for that purpose, with validation rules that prevent the attacks raw OAuth is vulnerable to.

Dan: Walk me through the recommended flow.

Alice: Authorization Code with PKCE — Proof Key for Code Exchange. OAuth 2.1, which is in draft but being widely adopted, makes PKCE mandatory for all authorization code grants. Here’s how it works. Your application generates a random string called a code verifier — at least 43 characters. It computes a SHA-256 hash of that string — the code challenge. It sends the user to the authorization server with the code challenge included. The user authenticates. The authorization server redirects back with an authorization code. Your application sends the code plus the original code verifier to the token endpoint. The server hashes the verifier, confirms it matches the challenge, and only then issues tokens.

Dan: What does PKCE actually protect against?

Alice: Authorization code interception. Without PKCE, if an attacker intercepts the authorization code — through a compromised redirect URI, browser history, referrer headers, or a malicious app registered with the same custom URI scheme on mobile — they can exchange it for tokens. With PKCE, the code is useless without the code verifier, which never left your application’s memory. Only the legitimate client that started the flow can complete it.

Dan: What about the Implicit flow? I still see it in older documentation.

Alice: Dead. Deprecated. OAuth 2.1 formally removes it. The Implicit flow returned tokens directly in the URL fragment — which meant they appeared in browser history, were exposed to JavaScript on the page, and could leak through referrer headers. It existed because early browsers couldn’t make cross-origin POST requests for token exchange. That limitation no longer exists. There is no scenario where Implicit flow is appropriate for new development. If your legal SaaS still uses it, migrate to Authorization Code plus PKCE immediately.

Dan: How should tokens be stored in a single-page application — an SPA, where the entire app runs in the browser?

Alice: The best current practice is the Backend-for-Frontend pattern — BFF. Your SPA communicates with a thin backend service that holds all OAuth tokens server-side. The SPA itself uses a standard httpOnly session cookie to authenticate with its BFF. The BFF proxies API calls, attaching the access token from its server-side store. Tokens never exist in the browser — no localStorage, no sessionStorage, no JavaScript variables. If the page has an XSS vulnerability, the attacker cannot steal OAuth tokens because they aren’t there.

Dan: That adds a backend component for what might otherwise be a pure SPA.

Alice: It does. One lightweight service — often just a few hundred lines. The alternative is storing tokens in JavaScript memory — which works, but means every page refresh requires silent re-authentication. Or storing in localStorage — which means any XSS vulnerability gives the attacker your tokens. For legal SaaS handling privileged documents, the BFF cost is trivial compared to the risk of token exfiltration.

Dan: Let’s talk about scope minimisation. What scopes should a legal SaaS platform request?

Alice: The minimum required for the current operation. For login — openid and email. That’s it. You don’t need profile access. You don’t need offline access unless you genuinely need refresh tokens. You don’t need calendar read or drive access just because the OAuth provider offers them. Request additional scopes incrementally — when the user takes an action that requires broader access, prompt for the additional scope at that moment. This is called progressive consent.

Dan: What about service-to-service communication? No user involved.

Alice: Client Credentials flow. Your document processing service authenticates directly to the authorization server using its own client ID and secret — no user redirect, no browser interaction. It receives an access token scoped to exactly what that service needs — maybe documents:read and nothing else. Client secrets must be stored in a secrets manager, rotated quarterly, and never committed to version control. Obvious, but you’d be amazed how many client secrets live in environment variables copied from a Slack message three years ago.

Dan: Legal SaaS has some unique integration requirements. Court systems, bar associations, client identity providers.

Alice: Multi-tenant IdP routing is the key challenge. Your platform serves dozens of law firms. Each has their own Azure AD or Okta instance. When a user hits your login page, you need to determine which IdP to redirect them to. The standard pattern — type your email address, the system extracts the domain, looks up the tenant-to-IdP mapping, redirects to the correct authorization endpoint. On the return trip, you validate the ID token’s issuer claim matches the expected IdP for that tenant. This prevents IdP confusion — an attacker running their own IdP cannot issue tokens that your platform accepts for a different tenant.

Dan: What about integrating with court e-filing systems?

Alice: Jurisdictions are increasingly offering API access to e-filing systems for authorised legal tech providers. Singapore’s eLitigation, various US state courts. These typically use OAuth 2.0 with strict scope limitations — read case status but not file documents, for example. The security requirement is narrow scoping and comprehensive audit logging. Every access token obtained for court system interaction should be logged with the user who triggered it, the scopes granted, and the operations performed. Courts are understandably cautious about API access to their systems.

Dan: What are the most common OAuth implementation mistakes you see?

Alice: Five. One — open redirectors on the callback URL. If your redirect URI accepts arbitrary paths or has a wildcard, attackers can redirect the authorization code to their server. Use exact-match redirect URI validation only. Two — missing state parameter. The state parameter is a random value your app sends at the start of the OAuth flow and checks when it comes back, to prove the response matches the request. Without it, CSRF attacks can force a user to authenticate as the attacker. Three — accepting tokens from any issuer. Always validate the iss claim against your expected IdP. Four — storing client secrets in frontend code. SPAs are public clients — they cannot hold secrets. Use PKCE. Five — using access tokens for authentication instead of ID tokens. Access tokens are for API authorization. ID tokens are for identity verification. Conflating them opens you to token injection and confused deputy attacks — where your service acts on a forged identity because it trusted the wrong token type.

Dan: Next episode — Multi-Factor Authentication. Adding a second factor so that a compromised password alone isn’t game over.

Alice: Until then, I’m Alice.

Dan: And I’m Dan.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.