Online citations, reference lists, and bibliographies.

A Comprehensive Formal Security Analysis Of OAuth 2.0

Daniel Fett, R. Küsters, G. Schmitz
Published 2016 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect. Despite the popularity of OAuth, so far analysis efforts were mostly targeted at finding bugs in specific implementations and were based on formal models which abstract from many web features or did not provide a formal treatment at all. In this paper, we carry out the first extensive formal analysis of the OAuth 2.0 standard in an expressive web model. Our analysis aims at establishing strong authorization, authentication, and session integrity guarantees, for which we provide formal definitions. In our formal analysis, all four OAuth grant types (authorization code grant, implicit grant, resource owner password credentials grant, and the client credentials grant) are covered. They may even run simultaneously in the same and different relying parties and identity providers, where malicious relying parties, identity providers, and browsers are considered as well. Our modeling and analysis of the OAuth 2.0 standard assumes that security recommendations and best practices are followed in order to avoid obvious and known attacks. When proving the security of OAuth in our model, we discovered four attacks which break the security of OAuth. The vulnerabilities can be exploited in practice and are present also in OpenID Connect. We propose fixes for the identified vulnerabilities, and then, for the first time, actually prove the security of OAuth in an expressive web model. In particular, we show that the fixed version of OAuth (with security recommendations and best practices in place) provides the authorization, authentication, and session integrity properties we specify.
This paper references
How I hacked Github again
E Homakov
RFC7033 – WebFinger
P. Jones (2013)
On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect
Vladislav Mladenov (2015)
10.1109/SP.2014.49
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
10.1007/978-3-319-24174-6_3
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
Daniel Fett (2015)
Cross-Origin Resource Sharing -W3C Recommendation 16
RFC6819 -OAuth 2.0 Threat Model and Security Considerations. IETF
M Mcgloin
OpenID Connect Core 1.0 incorporating errata set 1. OpenID Foundation
N Sakimura
Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008, Alexandria, VA, USA, October 27, 2008
Vitaly Shmatikov (2008)
A Comprehensive Formal Security Analysis of OAuth 2.0
D. Fett (2016)
User Resource, i.e., u ≡ ⊥. In this Case, Lemma 6 shows that it is not possible for the attacker to send a request to learn n
RFC6749 – The OAuth 2.0 Authorization Fr amework
D. Hardt ed (2012)
we have S 0 (i).atokens ≡ . S l (i).atokens is appended to only in Lines 44, 80, 88, and 94 (where in each an access token is issued) of Algorithm 11 and not altered in any other way
Proof Initially
However, the value is never sent out to any other party and therefore does not leak. We have shown that the value v cannot be known to the attacker
Assumption 2 is a contradiction
Lemma
10.17487/RFC6819
OAuth 2.0 Threat Model and Security Considerations
T. Lodderstedt (2013)
RFC7231 – Hypert ext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF
R. Fielding ed (2014)
10.1145/2897845.2897874
Model-based Security Testing: An Empirical Study on OAuth 2.0 Implementations
R. Yang (2016)
J. Selvi. Bypassing HTTP Strict Transport Security. In Blackhat
(2014)
Facebook Connect Market Share and Web Usage Statistics. Last visited Nov
Similartech (2015)
RFC6749 -The OAuth 2.0 Authorization Framework. IETF
Attacker does not learn access tokens) There exists no l ≤ j, (S l , E l , N l ) being a state in ρ, v ∈ N , such that v ∈ d / 0 (S l (attacker)) and v, clientIDOfRP(r, i), u ∈ S l (i).atokens
RFC7662 – OAuth 2.0 Token Introspection
10.1007/978-3-319-20550-2_13
More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations
Ethan Shernan (2015)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Referrer Policy -Editor's Draft
J Eisinger
10.1109/CSNT.2011.141
Formal Verification of OAuth 2.0 Using Alloy Framework
Suhas A. Pai (2011)
10.17487/RFC6749
The OAuth 2.0 Authorization Framework
D. Hardt (2012)
Open Web Application Security Project (OWASP)
Who was hacked
Martin Moore (2015)
Encoding claims in the OAuth 2 state parameter using a JWT
John Bradley (2018)
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
10.17487/RFC2617
HTTP Authentication: Basic and Digest Access Authentication
J. Franks (1999)
10.1007/978-3-319-13257-0_34
Security Issues in OAuth 2.0 SSO Implementations
Wanpeng Li (2014)
OpenID Connect Core 1.0 incorporating errata set 1. OpenID
N. Sakimura (2014)
OpenID Connect Discovery 1.0 incorporating errata set 1. OpenID Foundation
N Sakimura (2014)
On the security of modern Single Sign-On Protocols: OpenID Connect 1.0
V. Mladenov (2015)
OAuth 2.0 Mix-Up Mitigation
J. Bradley (2016)
An Expressive Model f or the Web Infrastructure: Definition and Application to the BrowserID SSO System
D. Fett (2014)
Forma l Verification of OAuth 2.0 Using Alloy Framework. InCSNT ’11 Proceedings of the 2011 International Conference o n C mmunication Systems and Network Technologies , pages 655–659
S. Pai (2011)
Universally Composable Security Analysis of OAuth v2.0
S. Chari (2011)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
10.1109/MobServ.2014.15
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
10.1145/360204.360213
Mobile values, new names, and secure communication
M. Abadi (2001)
RFC2617 -HTTP Authentication: Basic and Digest Access Authentication. IETF
J Franks
let command := FORM, url, POST, formdata, ⊥ 9: stop s, cookies, localStorage, sessionStorage
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
OpenID Connect Dy namic Client Registration 1.0 incorporating errata set 1
N. Sakimura (2014)
10.1109/SECCOM.2007.4550368
Simple cross-site attack prevention
F. Kerschbaum (2007)
Attacker does not learn RP secrets.). There exists no l ≤ j, (S l , E l , N l ) being a state in ρ such that secretOfRP(r, i) ∈ d / 0 (S l (attacker)) unless secretOfRP(r, i) ≡ ⊥
With this, we have shown that the attacker cannot learn n, and therfore, Assumption 2 is a contradica- tion
Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization
R. Wang (2013)
10.1007/978-3-642-36830-1_7
Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage
Chetan Bansal (2013)
10.1145/2420950.2420993
Using automated model analysis for reasoning about security of web protocols
Apurva Kumar (2012)
Bypassing HTTP Strict Transport Security
J. Selvi (2014)
10.17487/RFC7231
Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
R. Fielding (2014)
OpenID Con nect Discovery 1.0 incorporating errata set 1. OpenID Foundation
N. Sakimura (2014)
Cookies Lack Integrity: Real-World Implications
Xiaofeng Zheng (2015)
RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
J. Franks (1999)
Open Web Application Security Project (OWASP). Session fixation
RFC7662 – OAuth 2.0 Token Introspection
J. Richer ed (2015)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
10.1109/CSF.2010.27
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
10.1016/j.cose.2012.08.007
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
10.1145/2810103.2813726
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
Daniel Fett (2015)
Facebook Connect Market Share and Web Usage Statistics. Last visited
Similartech
Referrer Policy – Editor’s Draft, 28 March 2016
J. Eisinger (2016)
OpenID Connect Core 1.0 incorporating errata set 1
N. Sakimura (2014)
RFC7662 -OAuth 2.0 Token Introspection. IETF



This paper is referenced by
10.1109/ICT.2017.7998280
Choice of suitable Identity and Access Management standards for mobile computing and communication
Nitin Naik (2017)
10.1145/3241403.3241458
Aggregation of security metrics for decision making: a reference architecture
Yussuf Ahmed (2018)
10.1145/3322431.3326449
Verifying OAuth Implementations Through Encrypted Network Analysis
Josh Talkington (2019)
10.1145/3359986.3361211
Security analysis of cloud-connected industrial control systems using combinatorial testing
P. W. V. Tran-Jørgensen (2019)
10.1007/978-3-319-66284-8_33
Security Flows in OAuth 2.0 Framework: A Case Study
M. Argyriou (2017)
10.1145/3131365.3131404
Measuring and mitigating oauth access token abuse by collusion networks
Shehroze Farooqi (2017)
Improving the security of real world identity management systems
Wanpeng Li (2017)
10.1145/3338500.3360331
OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect
W. Li (2019)
10.1109/TrustCom/BigDataSE.2018.00227
OAuth-SSO: A Framework to Secure the OAuth-Based SSO Service for Packaged Web Applications
Nazmul Hossain (2018)
Decoupled-IFTTT: Constraining Privilege in Trigger-Action Platforms for the Internet of Things
Earlence Fernandes (2017)
10.1016/j.jisa.2019.102444
A research of security in website account binding
Xi Chao Gao (2020)
10.1007/978-3-319-94268-1_33
An Empirical Study of OAuth-Based SSO System on Web
Kaili Qiu (2018)
10.1145/3386723.3387888
Web OAuth-based SSO Systems Security
Yassine Sadqi (2020)
10.1109/CSF.2017.20
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines
Daniel Fett (2017)
10.1109/PST.2018.8514180
Mitigating CSRF attacks on OAuth 2.0 Systems
Wanpeng Li (2018)
10.1109/ACCESS.2019.2920675
Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache
Hayato Shimamoto (2019)
Analysis and prevention of security threats in web and cryptographic applications
M. Squarcina (2018)
Vetting Single Sign-On SDK Implementations via Symbolic Reasoning
R. Yang (2018)
10.1109/EuroSP.2017.32
SoK: Single Sign-On Security — An Evaluation of OpenID Connect
C. Mainka (2017)
10.1016/j.cose.2018.01.014
A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications
V. Sucasas (2018)
A Protocol for Service to Service Authentication using Token Challenge Response
Hiresha Kewalramani (2019)
10.1109/ISCAIE.2016.7575043
Social login with OAuth for mobile applications: User's view
Lee Ho (2016)
10.1109/ACCESS.2019.2926556
An Identity Framework for Providing Access to FIWARE OAuth 2.0-Based Services According to the eIDAS European Regulation
Álvaro Alonso (2019)
10.1145/2994620.2994637
UnlimitID: Privacy-Preserving Federated Identity Management using Algebraic MACs
Marios Isaakidis (2016)
Future Proofing the OAuth 2 . 0 Authorization Code Grant Protocol by the application of BCM Principles
N. Sakimura (2017)
10.1016/j.future.2018.06.049
Android single sign-on security: Issues, taxonomy and directions
X. Liu (2018)
10.3390/s20102962
Nextmed: Automatic Imaging Segmentation, 3D Reconstruction, and 3D Model Visualization Platform Using Augmented and Virtual Reality
S. G. Izard (2020)
Technical Report on Deploying a highly secured OpenStack Cloud Infrastructure using BradStack as a Case Study
Bashir Mohammed (2017)
User Access Privacy in OAuth 2.0 and OpenID Connect
Wanpeng Li (2020)
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
Stefano Calzavara (2018)
10.1109/LA-CCI.2017.8285719
User profile acquisition: A comprehensive framework to support personal information agents
Gerrit Kasper (2017)
10.1109/MobiSecServ48690.2020.9042946
Detecting Devices and Protocols on VPN-Encrypted Networks
Josh Talkington (2020)
See more
Semantic Scholar Logo Some data provided by SemanticScholar