Security Issues in OAuth 2.0 SSO Implementations

Wanpeng Li, Chris Mitchell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

33 Citations (Scopus)
95 Downloads (Pure)

Abstract

Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user’s accounts at a relying party without knowing the user’s account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.
Original languageEnglish
Title of host publicationInternational Conference on Information Security
EditorsSSM Chow, J Camenisch , LCK Hui , SM Yui
Place of PublicationCham
PublisherSpringer
Pages529-541
Number of pages13
ISBN (Electronic)978-3-319-13257-0
ISBN (Print)978-3-319-13256-3
DOIs
Publication statusPublished - 14 Oct 2014

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume8783
ISSN (Print)0302-9743

Keywords

  • user agent
  • resource owner
  • identity provider
  • security assertion markup language
  • identity federation

Fingerprint

Dive into the research topics of 'Security Issues in OAuth 2.0 SSO Implementations'. Together they form a unique fingerprint.

Cite this