A Comprehensive Formal Security Analysis of OAuth 2.0

Explore a comprehensive formal security analysis of OAuth 2.0 in this 25-minute conference talk presented at CCS 2016, the 23rd ACM Conference on Computer and Communications Security. Delve into the contributions, formal analysis methods, and web application standards discussed by authors Daniel Fett, Ralf Küsters, and Guido Schmitz from the University of Trier. Examine the web model, browser model, and limitations of OAuth 2.0. Investigate various OAuth modes, multiple IdPs, and key security properties including authorization, authentication, and session integrity. Uncover potential attacks, such as the 307 Redirect Attack and IdP Mix-Up Attack, along with their mitigation strategies. Gain insights into the security proof assumptions, network attacker scenarios, and related work in the field of OAuth 2.0 security analysis.

Intro
Our Contributions
Formal Analysis of Web Applications and Standards
Sources
Web Model
Web Browser Model
Limitations
Previous Work
OAuth Modes
Multiple IdPs
Authorization Property
Authentication Property
Session Integrity Property
Attacks: Overview
307 Redirect Attack
IdP Mix-Up Attack in implicit Mode
IdP Mix-Up Attack: Mitigation
Impact
Proof: Assumptions
Session Integrity: Network Attacker
OAuth 2.0: Security Proof
Some Related Work