Security Flows in OAuth 2.0 Framework: A Case Study

  • Marios Argyriou
  • Nicola Dragoni
  • Angelo SpognardiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10489)


The burst in smartphone use, handy design in laptops and tablets as well as other smart products, like cars with the ability to drive you around, manifests the exponential growth of network usage and the demand of accessing remote data on a large variety of services. However, users notoriously struggle to maintain distinct accounts for every single service that they use. The solution to this problem is the use of a Single Sign On (SSO) framework, with a unified single account to authenticate user’s identity throughout the different services. In April 2007, AOL introduced OpenAuth framework. After several revisions and despite its wide adoption, OpenAuth 2.0 has still several flaws that need to be fixed in several implementations. In this paper, we present a thorough review about both benefits of this single token authentication mechanism and its open flaws.


  1. 1.
    Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Key Challenges in defending against malicious socialbots. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2012. USENIX Association, Berkeley (2012)Google Scholar
  2. 2.
    Campbell, B., Mortimore, C., Jones, M., Goland, Y.: Assertion framework for OAuth 2.0 Client Authentication and Authorization Grants. RFC 7521 (Proposed Standard), May 2015Google Scholar
  3. 3.
    Hardt, D. (Ed).: RFC 6749: The OAuth 2.0 Authorization Framework. Annalen der Physik (2012). Accessed 12 Dec 2016Google Scholar
  4. 4.
    Ferry, E., O Raw, J., Curran, K.: Security evaluation of the OAuth framework. Inf. Comput. Secur. 23(1), 73–101 (2015)CrossRefGoogle Scholar
  5. 5.
    Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York. ACM (2016)Google Scholar
  6. 6.
    Goldshlager, N.: How i hacked Facebook OAuth to get full permission on any account. Accessed 15 Dec 2016
  7. 7.
    HTH: Common OAuth2 vulnerabilities and mitigation techniques. Accessed 15 Dec 2016
  8. 8.
    Jones, M., Bradley, J., Sakimura, N.: OAuth 2.0 mix-up mitigation. Accessed 05 2017
  9. 9.
    Kiani, K.: Four Attacks on OAuth - How to secure your OAuth implementation. SANS - Working Papers in Application Security (2016)Google Scholar
  10. 10.
    Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementationsGoogle Scholar
  11. 11.
    Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819 (Informational), January 2013Google Scholar
  12. 12.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the 2011 International Conference on Communication Systems and Network Technologies, CSNT 2011. IEEE Computer Society, Washington (2011)Google Scholar
  13. 13.
    Pranav, H.: Twitter’s bug - importing contacts (oauth flaw). Accessed 15 Dec 2016
  14. 14.
    Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014. ACM, New York (2014)Google Scholar
  15. 15.
    Wing, R.Y., Lau, C., Liu, T.: Signing into One Billion Mobile App. Accounts Effortlessly with OAuth2.0. The Chinese University of Hong Kong (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Marios Argyriou
    • 1
  • Nicola Dragoni
    • 1
    • 2
  • Angelo Spognardi
    • 1
    • 3
    Email author
  1. 1.DTU ComputeTechnical University of DenmarkLyngbyDenmark
  2. 2.Centre for Applied Autonomous Sensor SystemsÖrebro UniversityÖrebroSweden
  3. 3.Dipartimento InformaticaSapienza Università di RomaRomeItaly

Personalised recommendations