Project - OAuth Server & Two-Factor Authentication

Overview

Solcon's OAuth server had drifted from the specification over successive changes, leaving the company exposed to security risks that are increasingly exploited in today's threat landscape. Non-compliant authorization flows are a liability — they create blind spots in token handling and session management that attackers actively target. I rewrote the server to bring it back in line with the OAuth spec, upgraded the Symfony framework to a current version, and implemented Solcon's new visual design across all user-facing flows.

Alongside the rewrite I added two-factor authentication, giving users multiple options to secure their accounts — a feature the previous implementation lacked entirely.

Key Contributions

OAuth Spec Compliance

Rewrote the authorization server to align with the OAuth specification, correcting non-compliant flows in token issuance, refresh, and revocation. With credential theft, session hijacking, and token abuse on the rise, spec compliance is not a nice-to-have — it is a baseline requirement for mitigating these risks and meeting the security and audit standards expected of an internet service provider.

Two-Factor Authentication

Built full 2FA support with five providers, so users can choose the method that fits their situation:

• Authenticator apps — Google Authenticator and Microsoft Authenticator via TOTP.
• SMS and e-mail — for users who prefer or require a code delivered to their phone or inbox.
• Backup codes — one-time recovery codes as a fallback when the primary method is unavailable.

Users can configure their preferred method and fall back to alternatives, avoiding the lockout scenarios that come with single-provider 2FA.

Frontend & Framework Upgrade

Implemented Solcon's new visual design across the login, registration, and authorization screens, and upgraded the Symfony framework to bring the codebase to a current, supported version.