Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect
This addresses security risks for millions of users relying on single sign-on services like Google and Facebook, but it appears incremental as it builds on known vulnerabilities.
The paper tackles the problem of cross-site request forgery (CSRF) attacks in real-world implementations of OAuth 2.0 and OpenID Connect, proposing a new technique to mitigate these vulnerabilities.
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.