Abstract
The burst in smartphone use, handy design in laptops and tablets as well as other smart products, like cars with the ability to drive you around, manifests the exponential growth of network usage and the demand of accessing remote data on a large variety of services. However, users notoriously struggle to maintain distinct accounts for every single service that they use. The solution to this problem is the use of a Single Sign On (SSO) framework, with a unified single account to authenticate user’s identity throughout the different services. In April 2007, AOL introduced OpenAuth framework. After several revisions and despite its wide adoption, OpenAuth 2.0 has still several flaws that need to be fixed in several implementations. In this paper, we present a thorough review about both benefits of this single token authentication mechanism and its open flaws.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Key Challenges in defending against malicious socialbots. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2012. USENIX Association, Berkeley (2012)
Campbell, B., Mortimore, C., Jones, M., Goland, Y.: Assertion framework for OAuth 2.0 Client Authentication and Authorization Grants. RFC 7521 (Proposed Standard), May 2015
Hardt, D. (Ed).: RFC 6749: The OAuth 2.0 Authorization Framework. Annalen der Physik (2012). Accessed 12 Dec 2016
Ferry, E., O Raw, J., Curran, K.: Security evaluation of the OAuth framework. Inf. Comput. Secur. 23(1), 73–101 (2015)
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York. ACM (2016)
Goldshlager, N.: How i hacked Facebook OAuth to get full permission on any account. http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html. Accessed 15 Dec 2016
HTH: Common OAuth2 vulnerabilities and mitigation techniques. https://leastprivilege.com/2013/03/15/common-oauth2-vulnerabilities-and-mitigation-techniques/. Accessed 15 Dec 2016
Jones, M., Bradley, J., Sakimura, N.: OAuth 2.0 mix-up mitigation. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01. Accessed 05 2017
Kiani, K.: Four Attacks on OAuth - How to secure your OAuth implementation. SANS - Working Papers in Application Security (2016)
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819 (Informational), January 2013
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the 2011 International Conference on Communication Systems and Network Technologies, CSNT 2011. IEEE Computer Society, Washington (2011)
Pranav, H.: Twitter’s bug - importing contacts (oauth flaw). https://pranavhivarekar.in/2015/01/29/twitters-bug-importing-contacts-oauth-flaw/. Accessed 15 Dec 2016
Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014. ACM, New York (2014)
Wing, R.Y., Lau, C., Liu, T.: Signing into One Billion Mobile App. Accounts Effortlessly with OAuth2.0. The Chinese University of Hong Kong (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Argyriou, M., Dragoni, N., Spognardi, A. (2017). Security Flows in OAuth 2.0 Framework: A Case Study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security . SAFECOMP 2017. Lecture Notes in Computer Science(), vol 10489. Springer, Cham. https://doi.org/10.1007/978-3-319-66284-8_33
Download citation
DOI: https://doi.org/10.1007/978-3-319-66284-8_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66283-1
Online ISBN: 978-3-319-66284-8
eBook Packages: Computer ScienceComputer Science (R0)