This is a guest blogpost by Lauritz Holtmann. He wrote his master thesis:
"Single Sign-On Security: Security Analysis of real-life OpenID Connect Implementations"
OpenID Connect 1.0 and OAuth 2.0 are the Single Sign-On Protocols that are implemented in modern web applications. In this post, we outline common issue patterns that were discovered in popular OpenID Connect implementations, give concrete examples of vulnerabilities, and give recommendations for adjustments to the OpenID Connect specification.