Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study

Abstract

OAuth 2.0 is a widely used authorization protocol that allows third-party access to an authorization service on behalf of a user. Like any security protocol, it requires careful implementation to ensure security. Previous research has thoroughly analyzed the security of the OAuth protocol, but popular deployments remain vulnerable due to incorrect or limited implementation of the standards. In our previous work, we introduced a tool called OAUCH to measure and improve compliance with the OAuth standards. We used the tool to measure the compliance of 100 OAuth implementations and created a unique overview of the state of practice within the OAuth ecosystem. This paper revisits these prior results and updates our measurements. We compare the latest results to the original baseline and identify changes in the ecosystem. Our analysis shows that IdPs have become more compliant in the past two years, but a substantial number still lack fundamental countermeasures.