A survey on OAUTH protocol for security

  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract

    Web is a dangerous place. For each administration, each API’s, there are clients who might love simply to get through the different layers of security you've raised. It is one of the most powerful open standard authorization protocols available to all API developers today. Most of the popular social network API’s like Google, Twitter and Facebook uses OAuth 2.0 protocol to intensify user experience while sign-ing-on and social sharing. The code written for authorization may be leaked during transmission which then may lead to misuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth protocol. The experimental results on Google API shows that some common attacks like Phishing, Replay and Impersonation may be possible on this protocol.


  • Keywords

    OAuth 2.0; Security Vulnerabilities; Authentication.

  • References

      [1] Feng Yang, Sathiamoorthy Manoharan, “A security analysis of the OAuth protocol”, IEEE, available online: https://www.scribd.com/document/267173600/Yang-2013.

      [2] Manuel Urueña, Alfonso Muñoz and David Larrabeiti, “Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites”, Springer, Multimedia Tools and Applications (2014) pp. 159–176, available online: https://earchivo.uc3m.es/bitstream/handle/10016/20008/analysis_MTA_2014_ps.pdf?sequence=1.

      [3] Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M. Pai, Sanjay Singh, “Formal Verification of OAuth 2.0 Using Alloy Framework”, IEEE, available online: http://ieeexplore.ieee.org/document/5966531/.

      [4] Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis, “Discovering Concrete Attacks on Website Authorization by Formal Analysis”, IEEE, available online: http://ieeexplore.ieee.org/document/6266164/.

      [5] E. Hammer-Lahav, “The OAuth 1.0 protocol”, available online: http://www.rfc-editor.org/info/rfc5849.

      [6] J. Richer, W. Mills and H. Tschofenig, “OAuth 2.0 message authentication code (MAC) Tokens,” November (2012), available online: https://tools.ietf.org/pdf/draft-ietf-oauth-v2-http-mac-02.pdf.

      [7] Renzo E. Navas, Manuel Lagos and Laurent Toutain, “Nonce-based Authenticated Key Establishment over OAuth 2.0 IoT Proof-of-Possession Architecture”, IEEE, available online: http://ieeexplore.ieee.org/document/7845424/.




Article ID: 10834
DOI: 10.14419/ijet.v7i1.1.10834

Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.