On the security of modern Single Sign-On Protocols: OpenID Connect 1.0

OpenID Connect is a new Single Sign-On authentication protocol, which is becoming increasingly important since its publication in February 2014. OpenID Connect relies on the OAuth protocol, which currently is the de facto standard for delegated authorization in the modern web and is supported by leading companies like, e.g., Google, Facebook and Twitter. An important limitation of OAuth is the fact that it was designed for authorization and not for authentication -- it introduces a concept that allows a third party, e.g., a mobile App or a web application, to only access a subset of resources belonging to a user. However, it does not provide a secure means to uniquely identify the user. Thus, recent research revealed existing problems in case that OAuth is used for authentication nonetheless. These problems result in severe security vulnerabilities. To fill this gap, OpenID Connect was created. It provides federated identity management and authentication by adding authentication capabilities on top of the OAuth protocol. % Although OpenID Connect is a very new standard, companies like Google, Microsoft, AOL and PayPal, who were also involved in the development, use it already. In this paper we describe the OpenID Connect protocol and provide the first in-depth analysis of one of the key features of OpenID Connect, the \emph{Discovery} and the \emph{Dynamic Registration} extensions. We show that the usage of these extensions can compromise the security of the entire protocol. We develop a new attack called \emph{Malicious Endpoints} attack, evaluate it against an existing implementation, and propose countermeasures to fix the presented issues.

[1]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[2]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[3]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[4]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[7]  J. Bradley,et al.  JSON Web Token (JWT) draft-ietf-oauth-json-web-token-02 , 2013 .

[8]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[9]  N. Sakimura,et al.  JSON Web Signature (JWS) draft-ietf-jose-json-web-signature-11 , 2013 .

[10]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[11]  Christopher Krügel,et al.  Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel , 2014, RAID.

[12]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[13]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.