OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Wanpeng Li, Chris Mitchell, Thomas Chen

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

14 Citations (Scopus)
185 Downloads (Pure)


Millions of users routinely use Google to log in to websites supporting the standardised protocols OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.
Original languageEnglish
Title of host publicationProceedings of the 5th ACM Workshop on Security Standardisation Research Workshop
Publication statusPublished - Nov 2019


Dive into the research topics of 'OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect'. Together they form a unique fingerprint.

Cite this