2016
DOI: 10.1007/978-3-319-40667-1_18
|View full text |Cite
|
Sign up to set email alerts
|

Analysing the Security of Google’s Implementation of OpenID Connect

Abstract: Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors hav… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
32
0

Year Published

2017
2017
2022
2022

Publication Types

Select...
5
3

Relationship

2
6

Authors

Journals

citations
Cited by 44 publications
(32 citation statements)
references
References 22 publications
0
32
0
Order By: Relevance
“…Chen et al [6], and Shehab and Mohsen [19] have looked at the security of OAuth 2.0 implementations on mobile platforms. Li and Mitchell [14] conducted an empirical study of the security of the OpenID Connect-based SSO service provided by Google.…”
Section: Analysing the Security Of Oauth 20 And Openid Connectmentioning
confidence: 99%
See 1 more Smart Citation
“…Chen et al [6], and Shehab and Mohsen [19] have looked at the security of OAuth 2.0 implementations on mobile platforms. Li and Mitchell [14] conducted an empirical study of the security of the OpenID Connect-based SSO service provided by Google.…”
Section: Analysing the Security Of Oauth 20 And Openid Connectmentioning
confidence: 99%
“…The HTTP message (see, for example, listing 1.1) of such an authorization response contains a Referer header which points to the IdP domain. In practice, major IdPs, such as Google, Facebook and Microsoft, implement an 'automatic authorization granting' feature [14]. That is, when the user has logged in to his/her OAuth 2.0 IdP account, the IdP generates an authorization response without explicit user consent.…”
Section: Protecting the Authorization Code (Grant) Flowmentioning
confidence: 99%
“…The security properties of real-world OAuth 2.0 implementations have also been examined by a number of authors [5,10,11,13,18,21,22,24]. Wang et al [22] examined deployed SSO systems, focussing on a logic flaw present in many such systems, including OpenID.…”
Section: Explicit User Intention Trackingmentioning
confidence: 99%
“…An XSS attack in OIDC, an attacker exploits the facility of an automatic authorization granting by which an automatic authorization response is created if a user had recently a session with the OIDC IdP and previously granted authorization for the same client/RP [31]. Using this facility, an attacker may be able to steal a user ac-cess token by exploiting an XSS vulnerability in the client/RP side.…”
Section: ) Xss Attack In Oidcmentioning
confidence: 99%