Today, there is an increasing demand for authentication services to provide authentication to users on the internet. One example of an authentication protocol is OpenID Connect. It is used by for example Google to provide single sign-on functionality to millions of users. Since this demand is growing and more companies are implementing the protocol, there is also a need to ensure that the protocol is implemented in such a way that ensures protection from adversaries attacking the services in different ways. This paper makes an effort at providing guidelines to those aiming at implementing the protocol. It looks into several attacks that can be performed. It is found that how one chooses to implement the protocol can greatly affect security and the protocol's susceptibility to attacks. The attacks that are studied are Cross Site Request Forgery (CSRF) attacks, Mix-Up attacks, Passive web attacks, and Distributed Denial of Service attacks. It is found, among other things, that implementers of the protocol should incorporate state variables to protect against CSRF attacks and services must utilize a secure HTTPS connection to protect e.g. sensitive data. A recommendation is made for how a federation with Relying Parties and OpenID Providers can be set up to further improve security.
| Identifer | oai:union.ndltd.org:UPSALLA1/oai:DiVA.org:liu-187933 |
| Date | January 2022 |
| Creators | Thor, Ludvig |
| Publisher | Linköpings universitet, Programvara och system |
| Source Sets | DiVA Archive at Upsalla University |
| Language | English |
| Detected Language | English |
| Type | Student thesis, info:eu-repo/semantics/bachelorThesis, text |
| Format | application/pdf |
| Rights | info:eu-repo/semantics/openAccess |
Page generated in 0.0022 seconds