Analysing the Security of Google’s Implementation of OpenID Connect

Wanpeng Li* (Corresponding Author), Chris Mitchell

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

26 Citations (Scopus)
13 Downloads (Pure)


Many millions of users routinely use Google to log in to relying party (RP) websites supporting Google’s OpenID Connect service. OpenID Connect builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management. OpenID Connect allows an RP to obtain authentication assurances regarding an end user. A number of authors have analysed OAuth 2.0 security, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google’s implementation of OpenID Connect, involving forensic examination of 103 RP websites supporting it. Our study reveals widespread serious vulnerabilities of a number of types, many allowing an attacker to log in to an RP website as a victim user. These issues appear to be caused by a combination of Google’s design of its OpenID Connect service and RP developers making design decisions sacrificing security for ease of implementation. We give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.
Original languageEnglish
Title of host publicationInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Subtitle of host publicationDIMVA 2016
EditorsJ Callabero, U Zurutuza , R Rodríguez
Place of PublicationCham
Number of pages19
ISBN (Electronic)978-3-319-40667-1
ISBN (Print)978-3-319-40666-4
Publication statusPublished - 12 Jun 2016

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743


Dive into the research topics of 'Analysing the Security of Google’s Implementation of OpenID Connect'. Together they form a unique fingerprint.

Cite this