Security Issues in OAuth 2.0 SSO Implementations

Li, Wanpeng; Mitchell, Chris J.

doi:10.1007/978-3-319-13257-0_34

Cited by 37 publications

(25 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [41], Sun and Beznosov analyze the security of three IdPs and 96 RPs. In [28], Li and Mitchell study the security of 10 IdPs and 60 RPs based in China. In [43], Yang et al perform an automated analysis of 4 OAuth IdPs and 500 RPs.…”

Section: Related Workmentioning

confidence: 99%

A Comprehensive Formal Security Analysis of OAuth 2.0

Fett

Küsters

Schmitz

2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

138

135

View full text Add to dashboard Cite

The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect. Despite the popularity of OAuth, so far analysis efforts were mostly targeted at finding bugs in specific implementations and were based on formal models which abstract from many web features or did not provide a formal treatment at all.In this paper, we carry out the first extensive formal analysis of the OAuth 2.0 standard in an expressive web model. Our analysis aims at establishing strong authorization, authentication, and session integrity guarantees, for which we provide formal definitions. In our formal analysis, all four OAuth grant types (authorization code grant, implicit grant, resource owner password credentials grant, and the client credentials grant) are covered. They may even run simultaneously in the same and different relying parties and identity providers, where malicious relying parties, identity providers, and browsers are considered as well. Our modeling and analysis of the OAuth 2.0 standard assumes that security recommendations and best practices are followed in order to avoid obvious and known attacks.When proving the security of OAuth in our model, we discovered four attacks which break the security of OAuth. The vulnerabilities can be exploited in practice and are present also in OpenID Connect.We propose fixes for the identified vulnerabilities, and then, for the first time, actually prove the security of OAuth in an expressive web model. In particular, we show that the fixed version of OAuth (with security recommendations and best practices in place) provides the authorization, authentication, and session integrity properties we specify.

show abstract

Section: Related Workmentioning

confidence: 99%

A Comprehensive Formal Security Analysis of OAuth 2.0

Fett

Küsters

Schmitz

2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

138

135

View full text Add to dashboard Cite

show abstract

“…It should contain a nonce that is bound to the user's session. Attacks that can result from omitting or incorrectly using state were described in the context of OAuth 2.0 in [8], [35], [37], [44].…”

Section: A Attacks Mitigations and Guidelinesmentioning

confidence: 99%

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Fett

Küsters

Schmitz

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Abstract-Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.

show abstract

“…In parallel, Sun and Beznosov [22] also studied deployed OAuth 2.0 systems. Later, Li and Mitchell [13] examined the security of deployed OAuth 2.0 systems providing services in Chinese. In parallel, Zhou and Evans [25] conducted a large scale study of the security of Facebook's OAuth 2.0 implementation.…”

Section: Analysing the Security Of Oauth 20 And Openid Connectmentioning

confidence: 99%

“…The impact of such an attack depends on the type of resource accessed. For example, the user might upload private data to the RP, thinking it is uploading information to its own profile at this RP, and this data will subsequently be available to the attacker; as described by Li and Mitchell [13], an attacker can use a CSRF attack to control a victim user's RP account without knowing the user's username and password.…”

Section: Csrf Attacks Against the Redirect Urimentioning

confidence: 99%

Mitigating CSRF attacks on OAuth 2.0 Systems

Mitchell

2018

2018 16th Annual Conference on Privacy, Security and Trust (PST)

Self Cite

View full text Add to dashboard Cite

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

show abstract

Security Issues in OAuth 2.0 SSO Implementations

Cited by 37 publications

References 10 publications

A Comprehensive Formal Security Analysis of OAuth 2.0

A Comprehensive Formal Security Analysis of OAuth 2.0

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Mitigating CSRF attacks on OAuth 2.0 Systems

Contact Info

Product

Resources

About