Security review for new OAuth integration

created by Bob Smith at Feb 2, 2026, 11:00 AM

Context

We're adding Google OAuth for enterprise SSO. Before we ship, we need security review from the team.

Options Considered

  1. Auth0 - managed service, higher cost
  2. Custom OAuth - more control, more responsibility
  3. NextAuth.js - good middle ground

We're going with NextAuth.js + custom session handling.

Recommendation

Proceed with NextAuth.js but with custom token storage in Redis for better session management.

Trade-offs

  • More complex than pure NextAuth
  • But: Better control over session invalidation and multi-device handling

Questions for Team

  • Token refresh strategy?
  • Session timeout duration?
  • How do we handle compromised sessions?

Please ack after reviewing the security implications.

Resolution Summary

ciao sono una risoluzione

Activity

Bob Smith added label Needs Review

Feb 2, 2026, 11:05 AM

Bob Smith added label Urgent

Feb 2, 2026, 11:06 AM

US
user4Feb 2, 2026, 02:00 PM

I've reviewed the proposed OAuth flow. A few concerns: 1. Token storage - are we using httpOnly cookies? 2. PKCE implementation - is the code_verifier stored securely? 3. Redirect URI validation - whitelist approach?

TU
Test UserFeb 4, 2026, 02:59 PM

test reply

TU
Test UserFeb 4, 2026, 07:54 PM

ciaiiii

TU
Test UserFeb 4, 2026, 02:59 PM

Another comment chicossss

TU
Test UserFeb 4, 2026, 07:54 PM

Prueba

Feb 4, 2026, 07:55 PM

Test User changed status from open to resolved

Feb 4, 2026, 08:04 PM