基于Web oauth的SSO系统安全性

Proceedings of the 3rd International Conference on Networking, Information Systems & Security Pub Date : 2020-03-31 DOI:10.1145/3386723.3387888

Yassine Sadqi, Yousra Belfaik, S. Safi

{"title":"基于Web oauth的SSO系统安全性","authors":"Yassine Sadqi, Yousra Belfaik, S. Safi","doi":"10.1145/3386723.3387888","DOIUrl":null,"url":null,"abstract":"In the present digital world, users have to access multiple applications for carrying out their day-to-day business activities. As the amount of apps increase, the number of credentials (e.g. username/password) for each user increases and thereby the possibility of losing or forgetting them also increases. Single Sign-On (SSO) can be used to solve many problems related to web user authentication. OAuth-based SSO Systems are widely deployed by big tech companies such as Facebook and Google. In this paper we provide an in-depth review analysis of OAuth-based SSO systems security issues. In fact, previous efforts have been aimed either at finding errors in specific implementations, or at finding security problems within the specification itself. The main paper contribution is twofold: (1) describe in detail the OAuth 2.0 authorization flows and summarize the differences between the flows of each scenario that affect the security of the OAuth 2.0 protocol, and (2) examine the security problems related to the OAuth 2.0 specification and its implementation in the Web environment.","PeriodicalId":139072,"journal":{"name":"Proceedings of the 3rd International Conference on Networking, Information Systems & Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Web OAuth-based SSO Systems Security\",\"authors\":\"Yassine Sadqi, Yousra Belfaik, S. Safi\",\"doi\":\"10.1145/3386723.3387888\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In the present digital world, users have to access multiple applications for carrying out their day-to-day business activities. As the amount of apps increase, the number of credentials (e.g. username/password) for each user increases and thereby the possibility of losing or forgetting them also increases. Single Sign-On (SSO) can be used to solve many problems related to web user authentication. OAuth-based SSO Systems are widely deployed by big tech companies such as Facebook and Google. In this paper we provide an in-depth review analysis of OAuth-based SSO systems security issues. In fact, previous efforts have been aimed either at finding errors in specific implementations, or at finding security problems within the specification itself. The main paper contribution is twofold: (1) describe in detail the OAuth 2.0 authorization flows and summarize the differences between the flows of each scenario that affect the security of the OAuth 2.0 protocol, and (2) examine the security problems related to the OAuth 2.0 specification and its implementation in the Web environment.\",\"PeriodicalId\":139072,\"journal\":{\"name\":\"Proceedings of the 3rd International Conference on Networking, Information Systems & Security\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-03-31\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 3rd International Conference on Networking, Information Systems & Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3386723.3387888\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd International Conference on Networking, Information Systems & Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3386723.3387888","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

摘要

在当今的数字世界中，用户必须访问多个应用程序来进行日常业务活动。随着应用数量的增加，每个用户的凭据(例如用户名/密码)数量也会增加，因此丢失或忘记它们的可能性也会增加。单点登录(Single Sign-On, SSO)可以解决许多与web用户认证相关的问题。基于oauth的单点登录系统被Facebook和谷歌等大型科技公司广泛部署。在本文中，我们对基于oauth的SSO系统安全问题进行了深入的回顾分析。事实上，以前的工作的目的不是寻找特定实现中的错误，就是寻找规范本身中的安全问题。本文的主要贡献有两个方面:(1)详细描述了OAuth 2.0授权流程，并总结了影响OAuth 2.0协议安全性的每种场景的流程之间的差异;(2)研究了与OAuth 2.0规范及其在Web环境中的实现相关的安全问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Web OAuth-based SSO Systems Security

In the present digital world, users have to access multiple applications for carrying out their day-to-day business activities. As the amount of apps increase, the number of credentials (e.g. username/password) for each user increases and thereby the possibility of losing or forgetting them also increases. Single Sign-On (SSO) can be used to solve many problems related to web user authentication. OAuth-based SSO Systems are widely deployed by big tech companies such as Facebook and Google. In this paper we provide an in-depth review analysis of OAuth-based SSO systems security issues. In fact, previous efforts have been aimed either at finding errors in specific implementations, or at finding security problems within the specification itself. The main paper contribution is twofold: (1) describe in detail the OAuth 2.0 authorization flows and summarize the differences between the flows of each scenario that affect the security of the OAuth 2.0 protocol, and (2) examine the security problems related to the OAuth 2.0 specification and its implementation in the Web environment.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 3rd International Conference on Networking, Information Systems & Security

自引率

0.00%

发文量