Name
Abstract | ||
|---|---|---|
OpenID Connect is the OAuth 2.0-based replacement for OpenID 2.0 (OpenID) and one of the most important Single Sign-On (SSO) protocols used for delegated authentication. It is used by companies like Amazon, Google, Microsoft, and PayPal. In this paper, we systematically analyze well-known attacks on SSO protocols and adapt these on OpenID Connect. Additionally, we introduce two novel attacks on OpenID Connect, Identity Provider Confusion and Malicious Endpoints Attack, abusing flaws in the current specification and breaking the security goals of the protocol. In 2014 we communicated with the authors of the OpenID Connect specification about these attacks and helped to repair the issue(currently an RFC Draft). We categorize the described attacks into two classes: Single-Phase Attacks abusing a lack of a single security check and Cross-Phase Attacks requiring a complex attack setup and manipulating multiple messages distributed across the whole protocol workflow. We provide an evaluation of officially referenced OpenID Connect libraries and find 75% of them vulnerable to at least one Single-Phase Attack. All libraries are susceptible to Cross-Phase Attacks, which is not surprising since the attacks abuse a logic flaw in the protocol and not an implementation error. We reported the found vulnerabilities to the developers and helped them to fix the issues. We address the existing problems in a Practical Offensive Evaluation of Single Sign-On Services (PrOfESSOS). PrOfESSOS is our open source implementation for a fully automated Evaluation-as-a-Service for SSO. PrOfESSOS introduces a generic approach to improve the security of OpenID Connect implementations by systematically detecting vulnerabilities. In collaboration with the IETF OAuth and OpenIDConnect working group, we integrate PrOfESSOS into the OpenID Connect certification process. PrOfESSOS is available at https://openid.sso-security.de. |
Year | DOI | Venue |
|---|---|---|
2017 | 10.1109/EuroSP.2017.32 | 2017 IEEE European Symposium on Security and Privacy (EuroS&P) |
Keywords | Field | DocType |
Single Sign-On,OpenID Connect,Evaluation-as-a-Service,Open Source | Single sign-on,World Wide Web,OpenID Connect,Authentication,Computer science,Computer security,OpenID,Implementation,Identity provider,Certification,Workflow | Conference |
ISBN | Citations | PageRank |
978-1-5090-5763-4 | 5 | 0.42 |
References | Authors | |
16 | 4 | |
Name | Order | Citations | PageRank |
|---|---|---|---|
| christian mainka | 1 | 66 | 10.80 |
| Vladislav Mladenov | 2 | 27 | 9.22 |
| Jörg Schwenk | 3 | 899 | 88.54 |
| Tobias Wich | 4 | 7 | 6.59 |