Leaders Logo
Developer Technologies

Security in APIs: Implementation of OAuth 2.0 and OpenID Connect in Applications, with a Focus on Protecting Sensitive Data

By Nagib Sabbag Filho
Nov 30 2025
Reading Time: 5 minutes
vol. 2, num. 35, 2025

Introduction

With the growing use of APIs in various applications, the security of these interfaces becomes a primary concern. Protecting sensitive data and proper authentication are fundamental to ensuring the integrity and privacy of information. In this context, OAuth 2.0 and OpenID Connect emerge as essential protocols that provide effective means of authentication and authorization.

OAuth 2.0: Overview

OAuth 2.0 is an authorization framework that allows clients to access protected resources on behalf of a user without exposing their credentials. Access tokens are one of the forms used for this authorization, but the protocol also provides for other artifacts, such as authorization codes and refresh tokens, which make up the secure process of obtaining and maintaining access. One of the main goals is to maintain secure communication between the client and the server (HARDT, 2012).

How OAuth 2.0 Works

A basic OAuth 2.0 flow can be divided into the following steps:

  • The user requests authorization for a client application.
  • The authorization server authenticates the user and requests authorization.
  • Once authorized, the authorization server issues an access token.
  • The client application uses the token to access the protected resources.
SVG Image of the Article

Implementation in C#

IdentityServer provides a robust implementation of the OAuth 2.0 and OpenID Connect standards within the .NET ecosystem. It acts as a complete identity provider, responsible for issuing tokens, validating permissions, and centralizing authentication and authorization logic. Its modular architecture allows for secure integration of distributed applications, making it a solid choice for enterprise scenarios and large-scale systems (PETROVA; VARBANOVA, 2023).

A practical example of implementing OAuth 2.0 in C# can be found in .NET applications. The code below demonstrates how to configure authentication with OAuth 2.0 using IdentityServer.

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(options =>
    {
        options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = Configuration["Jwt:Issuer"],
            ValidAudience = Configuration["Jwt:Audience"],
            IssuerSigningKey = new 
                SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:Key"]))
        };
    });
}

Implementation in Go (Golang)

To implement OAuth 2.0 in Go, the library "golang.org/x/oauth2" can be used. The example below shows how to configure an OAuth 2.0 client.

package main

import (
    "golang.org/x/oauth2"
    "golang.org/x/oauth2/google"
    "net/http"
)

func main() {
    conf := &oauth2.Config{
        ClientID:     "YOUR_CLIENT_ID",
        ClientSecret: "YOUR_CLIENT_SECRET",
        RedirectURL:  "YOUR_REDIRECT_URL",
        Scopes:       []string{"https://www.googleapis.com/auth/userinfo.profile"},
        Endpoint:     google.Endpoint,
    }

    http.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
        url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)
        http.Redirect(w, r, url, http.StatusTemporaryRedirect)
    })

    http.ListenAndServe(":8080", nil)
}

OpenID Connect: Authentication over OAuth 2.0

OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. It allows developers to authenticate users and obtain information about them securely.

How OpenID Connect Works

OpenID Connect uses the same components as OAuth 2.0 but introduces new concepts, such as the ID Token, which provides information about the user's authentication.

Implementation in C#

The implementation of OpenID Connect in C# can be done using ASP.NET Core middleware. The example below shows how to configure OpenID Connect authentication.

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
    options.ClientId = Configuration["AzureAd:ClientId"];
    options.ClientSecret = Configuration["AzureAd:ClientSecret"];
    options.Authority = 
    $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/v2.0";
    options.ResponseType = "code id_token";
    options.SaveTokens = true;
});

Implementation in Go (Golang)

For OpenID Connect in Go, the library "golang.org/x/oauth2" can also be used. The example below demonstrates the configuration of an OpenID Connect client.

package main

import (
    "golang.org/x/oauth2"
    "golang.org/x/oauth2/google"
    "net/http"
)

func main() {
    conf := &oauth2.Config{
        ClientID:     "YOUR_CLIENT_ID",
        ClientSecret: "YOUR_CLIENT_SECRET",
        RedirectURL:  "YOUR_REDIRECT_URL",
        Scopes:       []string{"openid", "profile", "email"},
        Endpoint:     google.Endpoint,
    }

    http.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
        url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)
        http.Redirect(w, r, url, http.StatusTemporaryRedirect)
    })

    http.ListenAndServe(":8080", nil)
}

Protection of Sensitive Data

The protection of sensitive data is one of the main concerns when implementing OAuth 2.0 and OpenID Connect. It is crucial to ensure that access tokens and user information are stored and transmitted securely.

Secure Storage of Tokens

Access tokens must be stored rigorously, preferably using encrypted storage mechanisms to avoid accidental exposure, leakage in logs, or interception by malicious software. Consistent protection of this data is essential to mitigate risks such as credential theft, replay attacks, and session hijacking, as insecure storage remains one of the most critical vectors in OAuth 2.0 implementations (LODDERSTEDT et al., 2013).

Secure Communication

Communication between the client and server should occur exclusively via HTTPS, ensuring confidentiality, integrity, and authenticity of the transmitted data. NIST 800-63B guidelines emphasize that any sensitive information (including tokens, credentials, and persistent identifiers) should only travel over encrypted channels, as transmissions without TLS expose the system to interception, tampering, and replay attacks (GRASSI et al., 2017).

Conclusion

The implementation of OAuth 2.0 and OpenID Connect provides a robust framework for authentication and authorization in modern applications. However, it is essential to follow best security practices to protect sensitive data, ensuring that user privacy and information integrity are maintained.

References

  • HARDT, Dick. The OAuth 2.0 authorization framework. 2012. reference.Description
  • PETROVA, Plamenna; VARBANOVA, Silvia. IdentityServer Integration with ASP. NET Core. 2023. reference.Description
  • LODDERSTEDT, Torsten; MCGLOIN, Mark; HUNT, Phil. OAuth 2.0 threat model and security considerations. 2013. reference.Description
  • GRASSI, Paul A. et al. NIST 800-63B digital identity guidelines: Authentication and lifecycle management. McLean, VA, Tech. Rep, 2017. reference.Description
About the author

Nagib serves as a Microsoft MVP, has experience as a Systems Architecture Leader, Tech Manager, University Professor, and Senior Developer, with a career marked by solid academic and professional achievements. He holds a postgraduate degree from SENAC and from Mackenzie Presbyterian University, with an MBA in Software Technology from USP, and has participated in extension programs at MIT and the University of Chicago. He is the author of a peer-reviewed scientific article on chatbots, presented in person at the University of Barcelona. He is actively involved in the technical community, with more than 50 published articles, including over 10 articles on iMasters. As a speaker, he has participated in nationally significant events, such as the .NET Architecture tracks at TDC São Paulo, Solutions Architecture at TDC Floripa, and Developer Technologies at MVP Conf, as well as speaking at TOTVS Developers.