In this post, Christian Fries shows an approach to unveil security flaws in OpenID Connect Certified implementations with well-known attack methods. One goal of the master's thesis Security Analysis of Real-Life OpenID Connect Implementations was to provide a platform for developers and security researchers to test implementations in a reproducible and maintainable OIDC lab environment.
We included six OpenID Provider (OP) and eight Relying Party (RP) services in the lab environment. For the comprehensive security analysis, we tested the implementations against eleven Relying Party attacks and seven OpenID Provider attacks in different variations with our tool PrOfESSOS. In addition, we carried out manual tests as well. We have disclosed twelve implementation flaws and reported them to the developers in a responsible disclosure process.
Two developer teams fixed (✔) the vulnerabilities before the deadline of the master's thesis. One Redirect URI Manipulation vulnerability was rejected (✖). This particular case can be permissible for only one registered URI for reasons of interoperability and fault tolerance. We informed three further development teams (✦).
Name | Vulnerability | Fixed | CVE |
MITREid Connect | PKCE Downgrade Attack | ✦ | |
mod auth openidc | ID Spoofing, JWKS Spoofing | ✔ | |
node oidc-provider | Redirect URI Manipulation | ✖ | |
OidcRP | Replay Attack | ✦ | |
phpOIDC | Message Flow Confusion, ID Spoofing, Key Confusion | ✦ | |
pyoidc | Replay Attack, Signature Manipulation, Token Recipient Confusion | ✔ | CVE-2020-26244 |
We explain the method of how we have archived this result in the following sections.