Skip to content(if available)orjump to list(if available)

A Comprehensive Formal Security Analysis of OAuth 2.0

A Comprehensive Formal Security Analysis of OAuth 2.0

1 comments

·February 27, 2025
Visit

flowerthoughts

(2016)

> When proving the security of OAuth in our model, we discovered four attacks which break the security of OAuth. The vulnerabilities can be exploited in practice and are present also in OpenID Connect.

> We reported all attacks to the OAuth and OpenID Connect working groups who confirmed the attacks. The OAuth working group invited us to present our findings to them and prepared a draft for an RFC that mitigates the IdP mix-up attack (using the fix described in Section 3.2) [24]. Fixes regarding the other attacks are currently under discussion. We also notified nytimes.com, Facebook, and the developers of mod_auth_openidc and pyoidc.

The burning question is what has happened since. I couldn't find an RFC or errata about the other issues.

(Aside from formal analyses being cool research. :)

[24] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mix-u...