Area of Concern	Guiding Questions	Recommended Practice(s)
Authentication and Authorization	Are appropriate measures taken to limit the exposure of OAuth2 tokens? Are appropriate measures taken to securely store and retrieve OAuth2 tokens? Are there appropriate procedures in place to support the revocation of tokens if a breach is detected?	In multi-tenant SaaS applications, avoid exposing the shared client_secret to tenants. For single-tenant SaaS applications, storing client_secret within individual instances is also not recommended, even if the instance backend is not directly accessible by customers. The reason is rotation of credentials will be problematic. In multi-tenant SaaS applications, avoid exposing the instance refresh_token to tenants. If a SaaS multi-tenant authentication proxy is used for on-prem apps, the token refresh should also be done the multi-tenant layer and not the on-prem instance. Also, authentication capabilities between the on-prem instance and the SaaS proxy should be provided to guarantee that access_tokens are not shipped to the wrong tenant. Leverage an external service that handles encryption, e.g. AWS Secrets Manager, GCP KMS, Azure KeyVault, etc.
Compliance	Are appropriate measures taken to comply with regional data exports laws?	Ensure applications are in compliance with GDPR et al.
Isolation	Are appropriate measures taken to isolate tenant data?	In multi-tenant SaaS applications, choose the appropriate multi-tenancy architecture given the use-case and requirements, i.e. shared pool vs hybrid vs dedicated tables. Does the app actually store customer data or only facilitate access to APIs and write data back to App Framework, e.g. API Explorer?
Logging and Reporting	Are appropriate measures taken to provide adequate error handling, messaging, logging and diagnostics sufficient for triaging, troubleshooting, debugging and root cause analysis (as it pertains to interaction with App Framework APIs)? Are appropriate measures taken to facilitate the audit access to protected resources? Does the application provide adequate error handling, messaging, logging and diagnostics sufficient for triaging, troubleshooting, debugging and root cause analysis (as it pertains to interaction with App Framework APIs)?	Log tenant interactions with App Framework APIs and OAuth2 credential store.
Monitoring	Are appropriate measures taken to monitor for anomalous behavior? Does the application provide adequate error handling, messaging, logging and diagnostics sufficient for triaging, troubleshooting, debugging and root cause analysis (as it pertains to interaction with App Framework APIs)?	Use logging to help determine when tenants/users are misbehaving.
Performance/Throttling	Does the application interact with the App Framework APIs in the most efficient/conservative manner possible? Does the application implement best practices around OAuth token refreshing and caching? Does the application implement appropriate measures for respecting API rate limits and quotas enforced by the App Framework and take appropriate measures to notify/police users when their behavior is in danger of breaching API rate limits/quotas?	Perform queries/polls in the most efficient manner possible, e.g. following recommended/best practices. Persist/cache and reuse data obtained from APIs whenever possible, to avoid redundant API calls. Cache access tokens and make available to clients in shared store to limit number of times a refresh is required. Cache refresh token and make available to clients in shared store to support rolling refresh tokens.
Privacy and Risk	Are appropriate measures taken to guard against data leakage?	Implement safe guards to mitigate leakage of sensitive data, i.e. customer data.