In general most OAuth 2.0 security guidelines apply to Jackson as well but there are a few minor differences.
OAuth 2.0 is typically a single instance and all users can login using the same instance. However SAML is based on an specific instance that your customers have to configure with their Identity Provider. This means that access to the SAML instance is limited to only those that have been provisioned for it, adding another layer of security to the login flow.
The Config API returns a
client_secret that you can save for each customer and use when initiating the OAuth 2.0 flow. However for convenience we also let you use a
product instead since this doesn't require you to store any additional data. When using this we recommend you use the CLIENT_SECRET_VERIFIER configuration and not use the default
dummy value. The
client_secret cannot really be misused because as you will see in the next section the tokens are short lived but it is a good idea to set the
client_secret to something that is really a secret.
For client-side logins we highly recommend you use the PKCE flow which is supported by Jackson. This ensures a secure login without revealing the
client_secret on the client-side.
The tokens generated by Jackson are short lived (default is 5 minutes) and hence there is no risk of it being misused even if the
client_secret is known. Your SAML provider ensures that there can be no unauthorized.