User Access Privacy in OAuth 2.0 and OpenID Connect

Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.