Featured image of post OIDC Security Research

OIDC Security Research

Dive into OpenID Connect security, learn from security researchers, and enhance your knowledge on OIDC threats and attack scenarios.

Security Analysis of Real-Life OpenID Connect Implementations

In this Master’s thesis, Christian Fries presents a lab environment for developers and penetration-testers to unveil security flaws in real-world OpenID Connect Certified Service Provider and Identity Provider implementations.

In addition, the paper describes common threats and attack scenarios including single- and cross-phase attacks on relying parties, like token substitution, key confusion and replay attacks. Also OpenID provider attacks, like message flow confusion, PKCE downgrade or sub claim spoofing are covered.

โ†’ Read the Paper (.pdf)

OpenID Connect Security Considerations

This paper from security researchers of the Ruhr-University Bochum looked at OpenID Connect specification flaws and implementation issues opening up attack vectors. They outline common attack scenarios like session overwriting, redirect URI manipulation or token recipient confusion and give attack defense recommendations.

This crisp technical report is definitely a great source of inspiration for everyone who plans to conduct any form of OIDC pen-testing.

โ†’ Read the Paper (.pdf)

Licensed under CC BY 4.0
Brennenstuhl on Security
Made in ๐Ÿ‡ฉ๐Ÿ‡ช ยท Hosted in ๐Ÿ‡ช๐Ÿ‡บ ยท Powered by Hugo & Stack
Imprint ยท Privacy