Online citations, reference lists, and bibliographies.

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis And Security Guidelines

Daniel Fett, Ralf Küsters, Guido Schmitz
Published 2017 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.
This paper references
Security Issues in OAuth 2.0 SSO Implementations
Wanpeng Li (2014)
Provably Sound Browser-Based Enforcement of Web Session Integrity
M. Bugliesi (2014)
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
Daniel Fett (2015)
Discovering concrete attacks on website authorization by formal analysis
Chetan Bansal (2014)
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
Daniel Fett (2015)
Information-flow security for JavaScript and its APIs
Daniel Hedin (2016)
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
RFC7033 – WebFinger
P. Jones (2013)
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
Analysing the Security of Google's Implementation of OpenID Connect
W. Li (2016)
OAuth 2.0 Token Binding
J. W. Bradley (2018)
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Marco Balduzzi (2011)
Run-time Monitoring and Formal Analysis of Information Flows in Chromium
Lujo Bauer (2015)
Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel
Yinzhi Cao (2014)
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
The problem with OAuth for Authentication
J. Bradley (2012)
OAuth 2 . 0 Token Binding – draft - ietf - oauth - token - binding - 01 . IETF . Mar .
B. Campbell (2016)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
Featherweight Firefox: Formalizing the Core of a Web Browser
A. Bohannon (2010)
Browser Model for Security Analysis of Browser-Based Protocols
T. Groß (2005)
The Web SSO Standard OpenID Connect: In-Depth Formal Analysis and Security Guidelines
D. Fett (2017)
OAuth 2 . 0 Token Binding – draft - ietf - oauth - token - binding - 01 . IETF . Mar .
J. Bradley (2016)
OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1
N. Sakimura (2014)
Reactive non-interference for a browser model
Nataliia Bielova (2011)
Referrer Policy – Editor’s Draft, 28 March 2016
J. Eisinger (2016)
Information-Flow-Based Access Control for Web Browsers
Sachiko Yoshihama (2009)
Mobile values, new names, and secure communication
M. Abadi (2001)
Content Security Policy Level 3 – W3C Working Draft, 13 September 2016
M. West (2016)
OAuth 2.0 Mix-Up Mitigation
J. Bradley (2016)
Simple cross-site attack prevention
F. Kerschbaum (2007)
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
C. Mainka (2017)
Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage
Chetan Bansal (2013)
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
OpenID Connect Discovery 1.0 incorporating errata set 1
N. Sakimura (2014)
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
Encoding claims in the OAuth 2 state parameter using a JWT
John Bradley (2018)
Micro-policies for Web Session Security
Stefano Calzavara (2016)
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
Cookies Lack Integrity: Real-World Implications
Xiaofeng Zheng (2015)
CookiExt: Patching the browser against session hijacking attacks
M. Bugliesi (2015)
OpenID Connect Core 1.0 incorporating errata set 1
N. Sakimura (2014)
Uses and Abuses of Server-Side Requests
Giancarlo Pellegrino (2016)
JSON Web Token (JWT)
M. Jones (2015)
Verified Security for Browser Extensions
Arjun Guha (2011)

This paper is referenced by
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
Comparative Analysis and Framework Evaluating Web Single Sign-On Systems
Furkan Alaca (2018)
On cloud security requirements, threats, vulnerabilities and countermeasures: A survey
Rakesh Kumar (2019)
Identity and Access Control for micro-services based 5G NFV platforms
Daniel Guija (2018)
A research of security in website account binding
Xi Chao Gao (2020)
Understanding and mitigating OpenID Connect threats
J. Navas (2019)
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
Language-Based Web Session Integrity
S. Calzavara (2020)
MIT Timely Secure Confessions
R. Chia (2018)
Interoperable, State-approved Electronic Identities
R. Sasse (2018)
EL PASSO: Privacy-preserving, Asynchronous Single Sign-On
Zhiyi Zhang (2020)
Extending OpenID Connect Towards Mission Critical Applications
R. Deeptha (2018)
Using Structural Diversity to Enforce Strong Authentication of Mobiles to the Cloud
Samy Kambou (2019)
Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms
Furkan Alaca (2018)
Modelling and Analysis of Web Applications in Tamarin
Sandra Dünki (2019)
User Access Privacy in OAuth 2.0 and OpenID Connect
Wanpeng Li (2020)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache
Hayato Shimamoto (2019)
Assessment of Secure OpenID-Based DAAA Protocol for Avoiding Session Hijacking in Web Applications
Muhammad Bilal (2018)
DNS-IdM: a blockchain identity management system to secure personal data sharing in a network
Jamila Alsayed Kassem (2019)
Towards secure and standard-compliant implementations of the PSD2 Directive
Tobias Wich (2017)
Semantic Scholar Logo Some data provided by SemanticScholar