# OAuth 2.0 Security Best Current Practice

OAuth 2.0 is a deceptively simple protocol. For many of us, we create a client id, client secret, set a few environment variables, and watch the black magic take effect. It turns Auth into a Boolean on/off switch. Great! But, what are the best practices for how to configure and use it if we are a bit more behind the scenes? Read on!

First, lets understand some of the threats and security considerations for OAuth 2.0. This is covered in much more detail in "[OAuth 2.0 Threat Model and Security Considerations](/oauth-2-0-threat-model-and-security-considerations/)".

You can see many more details in the IETF Draft "[OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16)".

https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16