OAuth Security
Security is a foundational concern for any SSO integration. This page outlines the security requirements, compliance considerations, and best practices for OAuth / OIDC integrations with eCourtDate.
Security Requirements
| Requirement | Status |
|---|---|
| HTTPS on all endpoints | Required -- all authorization, token, user info, and end session endpoints must use HTTPS |
| RS256 signing algorithm | Recommended -- RSA Signature with SHA-256 for token signing |
| FIPS 140-2 compliance | Supported -- compatible with FIPS 140-2 validated cryptographic modules |
| PIV/CAC smart card support | Available -- supports Personal Identity Verification and Common Access Card authentication |
| MFA (Multi-Factor Authentication) | Recommended -- enforce MFA at the Identity Provider level |
Multi-Factor Authentication
MFA should be enforced at the Identity Provider level. eCourtDate does not manage MFA directly; instead, it relies on the IDP to authenticate users with the appropriate level of assurance before issuing tokens.
Supported MFA methods depend on your Identity Provider and may include:
- FIDO2 / WebAuthn security keys
- PIV / CAC smart cards
- TOTP authenticator apps
- SMS or email verification
- Push notifications
FedRAMP-Authorized Providers
For organizations with federal compliance requirements, the following FedRAMP-authorized Identity Providers are compatible with eCourtDate:
| Provider | Highlights |
|---|---|
| Ping Identity | FIDO2 support; FedRAMP authorized |
| ForgeRock | Government sector focus; on-premises deployment option available |
| Oracle Identity Cloud Service | Enterprise-grade cloud identity management |
| OneLogin | FedRAMP Ready designation |
| Keycloak | Open-source; can be deployed on-premises for full infrastructure control |
Security Best Practices
- Use PKCE for all Authorization Code flows to prevent code interception attacks
- Minimize token lifetime to reduce the impact of token compromise
- Validate tokens server-side -- never trust client-side token validation alone
- Restrict scopes to only those required for your integration
- Rotate client secrets on a regular schedule per your organization's policy
- Monitor authentication logs for anomalous sign-in patterns
- Use group claims for agency mapping rather than manual user assignment
Security Checklist
Use this checklist before deploying your OAuth / SSO integration to production:
- All redirect URIs use HTTPS
- PKCE enabled for Authorization Code flow
- Token lifetime configured appropriately
- MFA enforced at the Identity Provider level
- Group claims configured for agency mapping
- Test environment validated before production deployment
- Client secrets stored securely (not in source code or logs)
- End Session URL configured for proper sign-out