User Access Privacy in OAuth 2.0 and OpenID Connect

Wanpeng Li; Chris J. Mitchell

doi:10.1109/EuroSPW51379.2020.00095

User Access Privacy in OAuth 2.0 and OpenID Connect

Wanpeng Li, Chris J. Mitchell

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

4 Citations (Scopus)

Abstract

Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.

Original language	English
Title of host publication	Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	664-672
Number of pages	9
ISBN (Electronic)	9781728185972
DOIs	https://doi.org/10.1109/EuroSPW51379.2020.00095
Publication status	Published - Sep 2020
Event	5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 - Virtual, Genoa, Italy Duration: 7 Sep 2020 → 11 Sep 2020

Conference

Conference	5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Country/Territory	Italy
City	Virtual, Genoa
Period	7/09/20 → 11/09/20

Keywords

Authentication
Authorization
OAuth 2.0
OpenID Connect
Privacy

Access to Document

10.1109/EuroSPW51379.2020.00095

Cite this

Li, W & Mitchell, CJ 2020, User Access Privacy in OAuth 2.0 and OpenID Connect. in Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020., 9229747, Institute of Electrical and Electronics Engineers Inc., pp. 664-672, 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020, Virtual, Genoa, Italy, 7/09/20. https://doi.org/10.1109/EuroSPW51379.2020.00095

@inproceedings{c078ee662acb46109ca2781d12487113,

title = "User Access Privacy in OAuth 2.0 and OpenID Connect",

abstract = "Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.",

keywords = "Authentication, Authorization, OAuth 2.0, OpenID Connect, Privacy",

author = "Wanpeng Li and Mitchell, {Chris J.}",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 ; Conference date: 07-09-2020 Through 11-09-2020",

year = "2020",

month = sep,

doi = "10.1109/EuroSPW51379.2020.00095",

language = "English",

pages = "664--672",

booktitle = "Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - User Access Privacy in OAuth 2.0 and OpenID Connect

AU - Li, Wanpeng

AU - Mitchell, Chris J.

PY - 2020/9

Y1 - 2020/9

N2 - Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.

AB - Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.

KW - Authentication

KW - Authorization

KW - OAuth 2.0

KW - OpenID Connect

KW - Privacy

UR - http://www.scopus.com/inward/record.url?scp=85097106603&partnerID=8YFLogxK

U2 - 10.1109/EuroSPW51379.2020.00095

DO - 10.1109/EuroSPW51379.2020.00095

M3 - Published conference contribution

AN - SCOPUS:85097106603

SP - 664

EP - 672

BT - Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

Y2 - 7 September 2020 through 11 September 2020

ER -

User Access Privacy in OAuth 2.0 and OpenID Connect

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this