Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
Li, W., & Mitchell, C. J. (2016). Analysing the security of google’s implementation of openID connect. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 9721, pp. 357–376). Springer Verlag. https://doi.org/10.1007/978-3-319-40667-1_18