User Access Privacy in OAuth 2.0 and OpenID Connect

Wanpeng Li, Chris J. Mitchell

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

10 Citations (Scopus)

Abstract

Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.

Original languageEnglish
Title of host publicationProceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages664-672
Number of pages9
ISBN (Electronic)9781728185972
DOIs
Publication statusPublished - Sept 2020
Event5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 - Virtual, Genoa, Italy
Duration: 7 Sept 202011 Sept 2020

Conference

Conference5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Country/TerritoryItaly
CityVirtual, Genoa
Period7/09/2011/09/20

Bibliographical note

Publisher Copyright:
© 2020 IEEE.

Keywords

  • Authentication
  • Authorization
  • OAuth 2.0
  • OpenID Connect
  • Privacy

Fingerprint

Dive into the research topics of 'User Access Privacy in OAuth 2.0 and OpenID Connect'. Together they form a unique fingerprint.

Cite this