It is the OAuth2 method secure to Authentication?

Question

Currently, I am doing research on my Internship company. The company uses the OAuth2 method to do Integration between the company web app services and the partner's API, but it's not support knowing who the user is. Also, I found an issue that the company put the refresh token and access token in session storage on web browser. As far my research, the web application can be attacked using the Hijacking method. The other thing is some of the integration only use API key to do handshakes. My Hypothesis :

1. The company needs to implement OIDC before the OAuth2
2. The Refresh and Access token on session storage need to be encrypted, but I don't know it is possible or not
3. The company who only using API key need to implement OAuth2

my question :

1. is the OAuth2 method the best method secure an Authentication?
2. it is possible to encrypt token on session storage web browser?

Thanks in advance :D

Answer 1

Short answer: Yes

Your Hypothesis

1. OIDC is based on oAuth2 its an Authentication flow and itself has tokens
   StackOverflow question
   OIDC WebSite

2. OAuth2 is based entirely on HTTP requests, you can get the tokens and encrypt them with whatever encryption algorithms you want.

3. OAuth2 is not mandatory for APIs, if you already secure your APIs with keys (I don't know the security level and how these keys are created) you can only use them.

Question's answers

1. OAuth2 is one of the authorization and authentication methods, there are many, and it's not a "One size fits all" solution.

2. Of course! the token is a base64 string, you can use a Crypto library

Final considerations

I suggest you read about OAuth2 and try some flows, below are some resources where you can play and learn OAuth2

OAuth2 Docs
OAuth2 Playground