Online citations, reference lists, and bibliographies.

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis And Security Guidelines

Daniel Fett, Ralf Küsters, Guido Schmitz
Published 2017 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.
This paper references
10.1007/978-3-319-13257-0_34
Security Issues in OAuth 2.0 SSO Implementations
Wanpeng Li (2014)
10.1109/CSF.2014.33
Provably Sound Browser-Based Enforcement of Web Session Integrity
M. Bugliesi (2014)
10.1145/2810103.2813726
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
Daniel Fett (2015)
10.3233/JCS-140503
Discovering concrete attacks on website authorization by formal analysis
Chetan Bansal (2014)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
10.1007/978-3-319-24174-6_3
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
Daniel Fett (2015)
10.3233/JCS-160544
Information-flow security for JavaScript and its APIs
Daniel Hedin (2016)
10.1016/j.cose.2012.08.007
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
RFC7033 – WebFinger
P. Jones (2013)
10.1109/SP.2014.49
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
10.1007/978-3-319-40667-1_18
Analysing the Security of Google's Implementation of OpenID Connect
W. Li (2016)
OAuth 2.0 Token Binding
J. W. Bradley (2018)
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Marco Balduzzi (2011)
10.14722/NDSS.2015.23295
Run-time Monitoring and Formal Analysis of Information Flows in Chromium
Lujo Bauer (2015)
10.1007/978-3-319-11379-1_14
Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel
Yinzhi Cao (2014)
10.1109/CSF.2010.27
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
The problem with OAuth for Authentication
J. Bradley (2012)
OAuth 2 . 0 Token Binding – draft - ietf - oauth - token - binding - 01 . IETF . Mar .
B. Campbell (2016)
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
Featherweight Firefox: Formalizing the Core of a Web Browser
A. Bohannon (2010)
10.1007/11555827_28
Browser Model for Security Analysis of Browser-Based Protocols
T. Groß (2005)
The Web SSO Standard OpenID Connect: In-Depth Formal Analysis and Security Guidelines
D. Fett (2017)
OAuth 2 . 0 Token Binding – draft - ietf - oauth - token - binding - 01 . IETF . Mar .
J. Bradley (2016)
OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1
N. Sakimura (2014)
10.1109/ICNSS.2011.6059965
Reactive non-interference for a browser model
Nataliia Bielova (2011)
Referrer Policy – Editor’s Draft, 28 March 2016
J. Eisinger (2016)
10.1587/transinf.E92.D.836
Information-Flow-Based Access Control for Web Browsers
Sachiko Yoshihama (2009)
10.1145/360204.360213
Mobile values, new names, and secure communication
M. Abadi (2001)
Content Security Policy Level 3 – W3C Working Draft, 13 September 2016
M. West (2016)
OAuth 2.0 Mix-Up Mitigation
J. Bradley (2016)
10.1109/SECCOM.2007.4550368
Simple cross-site attack prevention
F. Kerschbaum (2007)
10.1109/EuroSP.2017.32
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
C. Mainka (2017)
10.1007/978-3-642-36830-1_7
Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage
Chetan Bansal (2013)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
OpenID Connect Discovery 1.0 incorporating errata set 1
N. Sakimura (2014)
10.1145/2976749.2978385
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
10.17487/RFC6749
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
Encoding claims in the OAuth 2 state parameter using a JWT
John Bradley (2018)
10.1109/CSF.2016.20
Micro-policies for Web Session Security
Stefano Calzavara (2016)
10.17487/RFC6819
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
Cookies Lack Integrity: Real-World Implications
Xiaofeng Zheng (2015)
10.3233/JCS-150529
CookiExt: Patching the browser against session hijacking attacks
M. Bugliesi (2015)
OpenID Connect Core 1.0 incorporating errata set 1
N. Sakimura (2014)
10.1007/978-3-319-45719-2_18
Uses and Abuses of Server-Side Requests
Giancarlo Pellegrino (2016)
10.17487/RFC7519
JSON Web Token (JWT)
M. Jones (2015)
10.1109/SP.2011.36
Verified Security for Browser Extensions
Arjun Guha (2011)



This paper is referenced by
10.1145/3338500.3360331
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
Comparative Analysis and Framework Evaluating Web Single Sign-On Systems
Furkan Alaca (2018)
10.1016/J.COSREV.2019.05.002
On cloud security requirements, threats, vulnerabilities and countermeasures: A survey
Rakesh Kumar (2019)
10.1145/3230833.3233255
Identity and Access Control for micro-services based 5G NFV platforms
Daniel Guija (2018)
10.1016/j.jisa.2019.102444
A research of security in website account binding
Xi Chao Gao (2020)
10.1016/J.COSE.2019.03.003
Understanding and mitigating OpenID Connect threats
J. Navas (2019)
10.1007/978-3-319-89722-6_8
Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
Giada Sciarretta (2018)
10.1109/SP.2019.00067
An Extensive Formal Security Analysis of the OpenID Financial-Grade API
Daniel Fett (2019)
10.1109/csf49147.2020.00016
Language-Based Web Session Integrity
S. Calzavara (2020)
MIT Timely Secure Confessions
R. Chia (2018)
Interoperable, State-approved Electronic Identities
R. Sasse (2018)
EL PASSO: Privacy-preserving, Asynchronous Single Sign-On
Zhiyi Zhang (2020)
10.2478/cait-2018-0041
Extending OpenID Connect Towards Mission Critical Applications
R. Deeptha (2018)
10.1109/CNS.2019.8802823
Using Structural Diversity to Enforce Strong Authentication of Mobiles to the Cloud
Samy Kambou (2019)
10.22215/etd/2018-12840
Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms
Furkan Alaca (2018)
10.3929/ethz-b-000372337
Modelling and Analysis of Web Applications in Tamarin
Sandra Dünki (2019)
User Access Privacy in OAuth 2.0 and OpenID Connect
Wanpeng Li (2020)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
10.1109/ACCESS.2019.2920675
Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache
Hayato Shimamoto (2019)
10.1155/2018/6315039
Assessment of Secure OpenID-Based DAAA Protocol for Avoiding Session Hijacking in Web Applications
Muhammad Bilal (2018)
10.3390/APP9152953
DNS-IdM: a blockchain identity management system to secure personal data sharing in a network
Jamila Alsayed Kassem (2019)
Towards secure and standard-compliant implementations of the PSD2 Directive
Tobias Wich (2017)
Semantic Scholar Logo Some data provided by SemanticScholar