In this post we show a novel attack on OpenID Connect 1.0, which compromises the security of the entire protocol - the Malicious Endpoints attack. The idea behind the attack is to influence the information flow in the Discovery and Dynamic Registration Phase in such a way that the attacker gains access to sensitive information.
OpenID Connect authentication flow with Discovery and Dynamic Registration
OpenID Connect 1.0 protocol flow with Discovery and Dynamic Registration |
- Initiate Single Sign-On:
An End-User visits the client (https://honestClient.com) and starts the Single Sign-On authentication in order to authenticate on the Client and get access to his resources. For this purpose, the End-User enters his identity on the Honest OP (e.g. alice@honestop.com). - Discovery Endpoint (Discovery):
The Client normalizes the entered identity in order to estimate the correspondig OP. Afterwards the Client sends an HTTP request to this Discovery endpoint and subsequently retrieves the OP's confguration information including its endpoint locations: - The (Dynamic) Registration Endpoint (regEndp).
- The Authentication Endpoint (authEndp.
- The Token Endpoint (tokenEndp).
- Using the Registration Endpoint (regEndp):
In order to use OpenID Connect services for authentication, a Client has to register on the OP. For this registration, the Client accesses this URL regEndp, for example, https://google.com/register. - Using the Authorization Endpoint (authEndp):
In order to execute the Client's Authentication Request, the End-User has to be redirected to the authEndp of the OP, for example to https://login.google.com/. Here, the End-User has to authenticate to the OP via a corresponding authentication process and authorize the Client to access the requested resources. - Using the Token Endpoint (tokenEndp):
The Client communicates with the tokenEndp, for example, https://google.com/consume-token, in order to obtain the id_token described in Section 2.5 and authenticate the End-User. In addition, an access_token can be sent to the Client in order to authorize the access to restricted resources. This communication is done directly between Client and OP (without involving the End-User).
Malicious Endpoint Attack
A view of the Malicious Endpoint attack and the protocol flow. |
If the victim clicks on the constructed link and thus visits the Client, the Client starts a discovery phase with the malicious Discovery service http://malicious.com. The Client sends a request to determine the corresponding endpoints. The attacker's Discovery service responds with the following values, initiating the actual attack:
Phase 1.2 - Dynamic Registration In the next step, the Client accesses regEndp for the Dynamic Registration. It sends a registration request to https://honestOP.com/register and receives a client_id and client_secret in the response.
The Client automatically starts the Dynamic Registration, even if it is already registered on the honest OpenID Provider. The reason for this behavior is that the Client believes that http://malicious.com is the responsible op, since it is not known from previous authentication procedures. Thus, http://malicious.com is a new OpenID Provider for the Client and it starts the registration procedure.
Phase 2 - End-User Authentication and Authorization In the next phase, the Client redirects the End-User to authEndp, https://login.honestOP.com/, where the End-User has to authenticate himself and authorize the Client. The End-User is not able to detect any abnormalities in the protocol flow: Phase 1.1 and Phase 1.2 cannot be observed by the End-User, and in Phase 2 the End-User will be prompted to authenticate to the honest OpenID Provider and authorize the honest Client, both of which he knows and trusts. Thus, the End-User authorizes the Client and the OpenID Provider generates the code, which is sent to the Client.
Note: Phase 2 exactly follows the original OpenID Connect protocol flow -- there is no parameter manipulation, no redirects to malicious websites and no observation of the network traffic between the End-User, the honest OpenID Provider and the Client. This means that the attack cannot be detected by the Client, the OpenID Provider and the End-User.
Phase 3 - The Theft In dependence of the protocol flow (Code or Implicit) the messages sent to the attacker differ.
Code Flow: Within the Code flow the Client redeems the received code from the previous phase: It sends the code together with the corresponding Client's credentials received during the Dynamic Registration (client_id/client_secret) to the tokenEndp originally specified by the malicious Discovery service - in this example http://malicious.com.
Implicit Flow: Since the Implicit flow does not use the tokenEndp, the attacker is not able to receive the information send in phase 2. But during the Discovery Phase an other malicious endpoint can be used - userinfo_endpoint. This endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated user. According to the specification, the obtained access token is sent as a Bearer token by the Client. Thus, the attacker can get access to a valid access token.
Demo
http://ssoattacks.org/OIDC_MaliciousDiscoveryService/
Authors of this Post
Vladislav MladenovChristian Mainka (@CheariX)