Verification of OAuth 2.0 Using UPPAAL

Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 836)


Web services are software services that are accessible over the internet through a set of application program interfaces (APIs). The security of these APIs is a major concern because of their loose coupling, and protection mechanisms are needed to safeguard them from attacks. The simplest of these mechanisms are authentication and authorization. A client that requests access to a web API should be authorized by an end-user who has been authenticated by an authorization server. OAuth 2.0 can be used to achieve this protection. The security properties of a widely used protocol such as OAuth 2.0 should be verified, since many systems depend on this protocol for protection. This paper focuses on verifying three important classes of properties of OAuth 2.0, namely safety, liveness, and absence of deadlock. A model of the OAuth protocol was developed using UPPAAL, a tool used for modeling and verification. This model consists of four finite state machines, one representing each of the roles in OAuth 2.0, and the properties of interest were verified using this model.


OAuth 2.0 UPPAAL Safety Liveness Formal methods 


  1. 1.
    Mouli, V.R., Jevitha, K.: Web services attacks and security-a systematic literature review. Procedia Comput. Sci. 93, 870–877 (2016)CrossRefGoogle Scholar
  2. 2.
    Poornachandran, P., Nithun, M., Pal, S., Ashok, A., Ajayan, A.: Password reuse behavior: how massive online data breaches impacts personal data in web. In: Saini, H.S., Sayal, R., Rawat, S.S. (eds.) Innovations in Computer Science and Engineering. AISC, vol. 413, pp. 199–210. Springer, Singapore (2016). Scholar
  3. 3.
    Franks, J., et al.: HTTP authentication: basic and digest access authentication. Technical report (1999)Google Scholar
  4. 4.
    Luo, X., Chen, Y., Gu, M., Wu, L.: Model checking needham-schroeder security protocol based on temporal logic of knowledge. In: 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing. NSWCTC 2009, vol. 2, pp. 551–554. IEEE (2009)Google Scholar
  5. 5.
    Díaz, G., Cuartero, F., Valero, V., Pelayo, F.: Automatic verification of the TLS handshake protocol. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 789–794. ACM (2004)Google Scholar
  6. 6.
    Yuan, T., et al.: Formalization and verification of REST on HTTP using CSP. Electron. Notes Theor. Comput. Sci. 309, 75–93 (2014)CrossRefGoogle Scholar
  7. 7.
    Yan, H., Fang, H., Kuka, C., Zhu, H.: Verification for OAuth using ASLan++. In: 2015 IEEE 16th International Symposium on High Assurance Systems Engineering (HASE), pp. 76–84. IEEE (2015)Google Scholar
  8. 8.
    Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1204–1215. ACM (2016)Google Scholar
  9. 9.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: 2011 International Conference on Communication Systems and Network Technologies (CSNT), pp. 655–659. IEEE (2011)Google Scholar
  10. 10.
    Richer, J., Sanso, A.: OAuth 2 in Action. Manning Publications, Shelter Island (2017)Google Scholar
  11. 11.
    Hardt, D.: The OAuth 2.0 authorization framework (2012)Google Scholar
  12. 12.
    Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations (2013)Google Scholar
  13. 13.
    Behrmann, G., David, A., Larsen, K.G.: A tutorial on UPPAAL 4.0 (2006, 2014). URL
  14. 14.
    Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. Int. J. Softw. Tools Technol. Transf. (STTT) 1(1), 134–152 (1997)CrossRefGoogle Scholar
  15. 15.
    Baier, C., Katoen, J.P., Larsen, K.G.: Principles of Model Checking. MIT Press, Cambridge (2008)zbMATHGoogle Scholar
  16. 16.
    Sabnani, K.: An algorithmic technique for protocol verification. IEEE Trans. Commun. 36(8), 924–931 (1988)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.TIFAC-CORE in Cyber SecurityAmrita Vishwa VidyapeethamCoimbatoreIndia
  2. 2.Department of Computer Science and EngineeringAmrita Vishwa VidyapeethamCoimbatoreIndia
  3. 3.Department of Computer Science and EngineeringState University of New York at BuffaloBuffaloUSA

Personalised recommendations