Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
|Title of host publication||International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment|
|Editors||J Callabero, U Zurutuza , R Rodríguez|
|Publisher||Springer Lecture Notes in Computer Science|
|Number of pages||19|
|Publication status||Published - 12 Jun 2016|
|Name||Lecture Notes in Computer Science|
Li, W., & Mitchell, C. (2016). Analysing the Security of Google’s implementation of OpenID Connect. In J. Callabero, U. Zurutuza , & R. Rodríguez (Eds.), International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Vol. 9721, pp. 357-376). (Lecture Notes in Computer Science; Vol. 9721). Springer Lecture Notes in Computer Science. https://doi.org/10.1007/978-3-319-40667-1_18