Analysing the security of Google's implementation of OpenID Connect

Research output: Chapter in Book/Report/Conference proceedingConference contribution

567 Downloads (Pure)


Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings
EditorsJuan Caballero, Urko Zurutuza, Ricardo J Rodriguez
Number of pages20
ISBN (Electronic)978-3-319-40667-1
ISBN (Print)978-3-319-40666-4
Publication statusE-pub ahead of print - 12 Jun 2016

Publication series

NameLecture Notes in Computer Science

Cite this