Security Flows in OAuth 2.0 Framework: A Case Study

Argyriou, Marios; Dragoni, Nicola; Spognardi, Angelo

doi:10.1007/978-3-319-66284-8_33

Marios Argyriou¹⁶,
Nicola Dragoni^16,17 &
Angelo Spognardi^16,18

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10489))

Included in the following conference series:

International Conference on Computer Safety, Reliability, and Security

2813 Accesses
3 Citations

Abstract

The burst in smartphone use, handy design in laptops and tablets as well as other smart products, like cars with the ability to drive you around, manifests the exponential growth of network usage and the demand of accessing remote data on a large variety of services. However, users notoriously struggle to maintain distinct accounts for every single service that they use. The solution to this problem is the use of a Single Sign On (SSO) framework, with a unified single account to authenticate user’s identity throughout the different services. In April 2007, AOL introduced OpenAuth framework. After several revisions and despite its wide adoption, OpenAuth 2.0 has still several flaws that need to be fixed in several implementations. In this paper, we present a thorough review about both benefits of this single token authentication mechanism and its open flaws.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Boshmaf, Y., Muslukhov, I., Beznosov, K., Ripeanu, M.: Key Challenges in defending against malicious socialbots. In: Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET 2012. USENIX Association, Berkeley (2012)
Google Scholar
Campbell, B., Mortimore, C., Jones, M., Goland, Y.: Assertion framework for OAuth 2.0 Client Authentication and Authorization Grants. RFC 7521 (Proposed Standard), May 2015
Google Scholar
Hardt, D. (Ed).: RFC 6749: The OAuth 2.0 Authorization Framework. Annalen der Physik (2012). Accessed 12 Dec 2016
Google Scholar
Ferry, E., O Raw, J., Curran, K.: Security evaluation of the OAuth framework. Inf. Comput. Secur. 23(1), 73–101 (2015)
Article Google Scholar
Fett, D., Küsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, New York. ACM (2016)
Google Scholar
Goldshlager, N.: How i hacked Facebook OAuth to get full permission on any account. http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html. Accessed 15 Dec 2016
HTH: Common OAuth2 vulnerabilities and mitigation techniques. https://leastprivilege.com/2013/03/15/common-oauth2-vulnerabilities-and-mitigation-techniques/. Accessed 15 Dec 2016
Jones, M., Bradley, J., Sakimura, N.: OAuth 2.0 mix-up mitigation. https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01. Accessed 05 2017
Kiani, K.: Four Attacks on OAuth - How to secure your OAuth implementation. SANS - Working Papers in Application Security (2016)
Google Scholar
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations
Google Scholar
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 threat model and security considerations. RFC 6819 (Informational), January 2013
Google Scholar
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of OAuth 2.0 using alloy framework. In: Proceedings of the 2011 International Conference on Communication Systems and Network Technologies, CSNT 2011. IEEE Computer Society, Washington (2011)
Google Scholar
Pranav, H.: Twitter’s bug - importing contacts (oauth flaw). https://pranavhivarekar.in/2015/01/29/twitters-bug-importing-contacts-oauth-flaw/. Accessed 15 Dec 2016
Shehab, M., Mohsen, F.: Securing OAuth implementations in smart phones. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY 2014. ACM, New York (2014)
Google Scholar
Wing, R.Y., Lau, C., Liu, T.: Signing into One Billion Mobile App. Accounts Effortlessly with OAuth2.0. The Chinese University of Hong Kong (2015)
Google Scholar

Download references

Author information

Authors and Affiliations

DTU Compute, Technical University of Denmark, Lyngby, Denmark
Marios Argyriou, Nicola Dragoni & Angelo Spognardi
Centre for Applied Autonomous Sensor Systems, Örebro University, Örebro, Sweden
Nicola Dragoni
Dipartimento Informatica, Sapienza Università di Roma, Rome, Italy
Angelo Spognardi

Authors

Marios Argyriou
View author publications
You can also search for this author in PubMed Google Scholar
Nicola Dragoni
View author publications
You can also search for this author in PubMed Google Scholar
Angelo Spognardi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Angelo Spognardi .

Editor information

Editors and Affiliations

Fondazione Bruno Kessler, Trento, Italy
Stefano Tonetta
Austrian Institute of Technology GmbH, Vienna, Austria
Erwin Schoitsch
Thales Transportation Systems GmbH, Ditzingen, Germany
Friedemann Bitsch

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Argyriou, M., Dragoni, N., Spognardi, A. (2017). Security Flows in OAuth 2.0 Framework: A Case Study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security . SAFECOMP 2017. Lecture Notes in Computer Science(), vol 10489. Springer, Cham. https://doi.org/10.1007/978-3-319-66284-8_33

Download citation

DOI: https://doi.org/10.1007/978-3-319-66284-8_33
Published: 27 September 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66283-1
Online ISBN: 978-3-319-66284-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics