Analysing the Security of Google’s implementation of OpenID Connect

Wanpeng Li, Chris Mitchell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

16 Citations (Scopus)

Abstract

Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
Original languageEnglish
Title of host publicationInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
EditorsJ Callabero, U Zurutuza , R Rodríguez
PublisherSpringer Lecture Notes in Computer Science
Pages357-376
Number of pages19
Volume9721
ISBN (Electronic)978-3-319-40667-1
ISBN (Print)978-3-319-40666-4
DOIs
Publication statusPublished - 12 Jun 2016

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume9721

Fingerprint Dive into the research topics of 'Analysing the Security of Google’s implementation of OpenID Connect'. Together they form a unique fingerprint.

  • Cite this

    Li, W., & Mitchell, C. (2016). Analysing the Security of Google’s implementation of OpenID Connect. In J. Callabero, U. Zurutuza , & R. Rodríguez (Eds.), International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Vol. 9721, pp. 357-376). (Lecture Notes in Computer Science; Vol. 9721). Springer Lecture Notes in Computer Science. https://doi.org/10.1007/978-3-319-40667-1_18