A Comprehensive Formal Security Analysis of OAuth 2.0

(2016)<p>&gt; When proving the security of OAuth in our model, we discovered four attacks which break the security of OAuth. The vulnerabilities can be exploited in practice and are present also in OpenID Connect.<p>&gt; We reported all attacks to the OAuth and OpenID Connect working groups who confirmed the attacks. The OAuth working group invited us to present our findings to them and prepared a draft for an RFC that mitigates the IdP mix-up attack (using the fix described in Section 3.2) [24]. Fixes regarding the other attacks are currently under discussion. We also notified nytimes.com, Facebook, and the developers of mod_auth_openidc and pyoidc.<p>The burning question is what has happened since. I couldn&#x27;t find an RFC or errata about the other issues.<p>(Aside from formal analyses being cool research. :)<p>[24] <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;draft-ietf-oauth-mix-up-mitigation-01" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;draft-ietf-oauth-mix-u...</a>

Kind of tangential, but one thing I realized recently I didn&#x27;t get about oauth2 (or openid), social logins for that matter: when you click on the login button, you&#x27;re sent to whatever site the site you&#x27;re logging in to wants to send you. It could be a fishing page or whatever. Is that not a significant issue?<p>I&#x27;ve never seen any warnings about this - I feel like generally it&#x27;s touted as a better (practical, secure) alternative than having your own per-site email address and password, and most identity providers are careful to say &quot;are you sure this is the site you want to log into&quot; (mostly because people are abusing oauth2 for logins), but nobody says &quot;hey, triple check before clicking an off-site login link!&quot;<p>I feel like there needs to be browser-side integration that keeps track of which identity providers you have, and which ones you&#x27;ve previously used on which sites. Somehow facebook pushed passkeys through, so it&#x27;s not like browser-site cooperation can&#x27;t happen in the login space.<p>IIRC there were some oauth2 alternatives years back but I don&#x27;t think they went anywhere. It&#x27;d be nice to get rid of all the cruft in the standard about http logins, maybe support flows that don&#x27;t rely so heavily on DNS, etc etc too.