a comprehensive formal security analysis of oauth 21601.01229v2 [cs.cr] 7 jan 2016 a comprehensive...

arX

iv:1

601.

0122

9v2

[cs.

CR

] 7

Jan

2016

A Comprehensive Formal Security Analysis

of OAuth 2.0

Daniel FettUniversity of Trier, Germany

[email protected]

Ralf KüstersUniversity of Trier, [email protected]

Guido SchmitzUniversity of Trier, [email protected]

The OAuth 2.0 protocol allows users to grant relying partiesaccess to resources at identity providers.In addition to being used for this kind of authorization, OAuth is also often employed for authenticationin single sign-on (SSO) systems. OAuth 2.0 is, in fact, one ofthe most widely used protocols in the webfor these purposes, with companies such as Google, Facebook, or PayPal acting as identity providersand millions of websites connecting to these services as relying parties.

OAuth 2.0 is at the heart ofFacebook Loginand many other implementations, and also serves asthe foundation for the upcoming SSO system OpenID Connect. Despite the popularity of OAuth, sofar analysis efforts were mostly targeted at finding bugs in specific implementations and were based onformal models which abstract from many web features or did not provide a formal treatment at all.

In this paper, we carry out the first extensive formal analysis of the OAuth 2.0 standard in an expressiveweb model. Our analysis aims at establishing strong authorization and authentication guarantees, forwhich we provide formal definitions. In our formal analysis,all four OAuth grant types (authorizationcode grant, implicit grant, resource owner password credentials grant, and the client credentials grant)are covered. They may even run simultaneously in the same anddifferent relying parties and identityproviders, where malicious relying parties and identity providers are considered as well.

While proving security, we found two previously unknown attacks on OAuth, which both break autho-rization and authentication in OAuth. The underlying vulnerabilities are present also in the new OpenIDConnect standard and can be exploited in practice.

We propose fixes for the identified vulnerabilities, and then, for the first time, actually prove thesecurity of OAuth in an expressive web model. In particular,we show that the fixed version of OAuthprovides the authorization and authentication propertieswe specify.

1

http://arxiv.org/abs/1601.01229v2

Contents

1 Introduction 4

2 OAuth 2.0 62.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 62.2 OAuth Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 7

3 Attacks on OAuth 2.0 and OpenID Connect 123.1 Attack: 307 Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 123.2 Attack: IdP Mix-Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 133.3 Implications to OpenID Connect . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . 173.4 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 18

4 Generic Web Model 184.1 Communication Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 184.2 Web System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 194.3 Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 20

5 Analysis of OAuth 2.0 215.1 Model of OAuth 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 225.2 Authorization and Authentication Properties . . . . . . . .. . . . . . . . . . . . . . . . 245.3 Main Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 24

6 Related Work 25

7 Conclusion 26

References 26

A OpenID Connect and the Attacks on this Standard 28A.1 Modes and Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 30A.2 The 307 Redirect Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 31A.3 The IdP Mix-Up Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 31

B The Generic Web Model 33B.1 Communication Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 33B.2 Scripting Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 37B.3 Web System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 37

C Message and Data Formats 38C.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 38C.2 URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39C.3 Origins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 39C.4 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 39C.5 HTTP Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 39C.6 DNS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 41C.7 DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 41

D Detailed Description of the Browser Model 41

2

D.1 Notation and Terminology (Web Browser State) . . . . . . . . .. . . . . . . . . . . . . 41D.2 Description of the Web Browser Atomic Process . . . . . . . . .. . . . . . . . . . . . . 44

E Formal Model of OAuth 51E.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 52E.2 Addresses and Domain Names . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . 52E.3 Keys and Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 52E.4 Identities, Passwords, and Protected Resources . . . . . .. . . . . . . . . . . . . . . . 53E.5 Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 54E.6 Processes inW (Overview) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54E.7 Network Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 54E.8 Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 54E.9 Relying Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 55E.10 Identity Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 62

F Formal Security Properties 66

G Proof of Theorem 1 66G.1 Properties ofOWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66G.2 Proof of Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . 69G.3 Proof of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 74

3

1. Introduction

The OAuth 2.0 authorization framework [13] defines a web-based protocol that allows a user to grantweb sites access to her resources (data or services) at otherweb sites (authorization). The formerweb sites are called relying parties (RP) and the latter are called identity providers (IdP).1 In practice,OAuth 2.0 is often used forauthenticationas well. That is, a user can log in at an RP using her identitymanaged by an IdP (single sign-on, SSO).

Authorization and SSO solutions have found widespread adoption in the web over the last years,with OAuth 2.0 being one of the most popular frameworks. OAuth 2.0, in the following often simplycalledOAuth,2 is used by identity providers such as Facebook, Google, Microsoft, Yahoo, GitHub, andDropbox. This enables billions of users to log in at millionsof RPs or share their data with these [27],making OAuth one of the most used single sign-on systems on the web.

OAuth is also the foundation for the new single sign-on protocol OpenID Connect, which is alreadyin use and actively supported by PayPal (“Log In with PayPal”), Google, and Microsoft, among others.Considering the broad industry support for OpenID Connect,a widespread adoption of OpenID Con-nect in the next years seems likely. OpenID Connect builds upon OAuth and provides clearly definedinterfaces for user authentication and additional (optional) features, such as dynamic identity providerdiscovery and relying party registration, signing and encryption of messages, and user logout.

OAuth defines a very complex protocol. The interactions between the user and her browser, the RP,and the IdP can be performed in four different flows, or grant types: authorization code grant, implicitgrant, resource owner password credentials grant, and the client credentials grant (we refer to these asmodesin the following). In addition, in most of these modes, depending on the configuration and priorsetup of the RP and the IdP, further options within the different modes are provided.

Therefore, analyzing the security of OAuth is a complex task. So far, most analysis efforts were tar-geted towards finding errors in specific implementations [4,6,18,26,28], rather than the comprehensiveanalysis of the standard itself: none of the existing analysis efforts of OAuth account for multiple modesof OAuth running simultaneously, which may potentially introduce new security risks. In fact, manyexisting approaches analyze only the authorization code mode and the implicit mode of OAuth. Also,importantly, there are no analysis efforts that are based ona comprehensive formal web model, which,however, is essential to rule out security risks that arise when running the protocol in the context ofcommon web technologies.

Contributions of this Paper. We perform the first extensive formal analysis of the OAuth 2.0 standardfor all four modes, which can even run simultaneously withinthe same and different RPs and IdPs,based on a comprehensive web model which covers large parts of how browsers and servers interact inreal-world setups. Our analysis also covers the case of malicious IdPs and RPs.

Informal description of OAuth.As a basis for the model, we first provide a detailed description of theprotocol flows in all four modes of OAuth.

Formal model of OAuth.Our formal analysis of OAuth uses an expressive Dolev-Yao style model of theweb infrastructure [8] proposed by Fett, Küsters, and Schmitz. This model has already been used to ana-lyze the security of the BrowserID single sign-on system [8,10] as well as the security and privacy of theSPRESSO single sign-on system [11]. This web model is designed independently of a specific web ap-plication and closely mimics published (de-facto) standards and specifications for the web, for instance,the HTTP/1.1 and HTML5 standards and associated (proposed)standards. It is the most comprehensiveweb model to date. Among others, HTTP(S) requests and responses, including several headers, such

1Following the OAuth 2.0 terminology, IdPs are calledauthorization serversandresource servers, RPs are calledclients,and users are calledresource owners. Here, however, we stick to the more common terms mentioned above.

2Note that in this document, we consider only OAuth 2.0, whichis very different to its predecessor, OAuth 1.0.

4

as cookie, location, strict transport security (STS), and origin headers, are modeled. The model of webbrowsers captures the concepts of windows, documents, and iframes, including the complex navigationrules, as well as new technologies, such as web storage and cross-document messaging (postMessages).JavaScript is modeled in an abstract way by so-called scripting processes which can be sent around and,among others, can create iframes and initiate XMLHTTPRequests (XHRs). Browsers may be corrupteddynamically by the adversary.

Using this generic web model, we build a formal model of OAuth, closely following the OAuth 2.0standard [13]. Since this standard does not fix all aspects of the protocol, we use the current OAuth 2.0security recommendations (RFC6819 [19]) and current web best practices (e.g., regarding sesssionhan-dling) to obtain a model of OAuth 2.0 with state-of-the-art security features in place, in order to avoidknown implementation attacks. (Note that the security recommendations in RFC6819 cover many of thebugs found in earlier analysis efforts on implementations of OAuth.) As mentioned above, our modelincludes RPs and IdPs that (simultaneously) support all four modes and can be dynamically corruptedby the adversary. Also, we model all configuration options ofOAuth (see Section2).

Formalization of security properties.Based on this model of OAuth, we provide formal definitionsof the security properties of OAuth. In particular, we statetwo separate properties: authorization andauthentication.

New attacks on OAuth 2.0 and fixes.While trying to prove these properties, we discovered two previouslyunknown attacks on OAuth, which both break authorization aswell as authentication. In the first attack,IdPs inadvertently forward user credentials (i.e., username and password) to the RP or the attacker. In thesecond attack, a network attacker can impersonate any victim. This severe attack is caused by a logicalflaw in the OAuth 2.0 protocol and depends on the presence of malicious IdP. In practice, OAuth setupsoften allow for selected (and thus hopefully trustworthy) IdPs only. In these setups the attack would notapply. The attack, however, can be exploited in OpenID Connect, which, as mentioned, builds directlyon OAuth. We have verified the attacks on an implementation ofOAuth and OpenID Connect. We alsonotified the respective working groups, who confirmed the attacks and adopted the fixes we propose inthis paper. We present our attacks on OAuth in Section3 in detail. In AppendixA we show how theattacks can be exploited in OpenID Connect.

We show how both attacks can be fixed by changes that are easy toimplement in new and existingdeployments of OAuth and OpenID Connect.

Formal analysis of OAuth 2.0.We then prove that OAuth satisfies the authorization and authenticationproperties in a model of OAuth with the fixes in place. This is the first proof which establishes thesecurity of OAuth in a comprehensive and expressive web model.

We note that while these results provide strong security guarantees for OAuth they do not directlyimply security of OpenID Connect because OpenID Connect adds specific details on top of OAuth. Weleave a formal analysis of OpenID Connect to future work. Theresults obtained here can serve as a goodfoundation for such an analysis.

Structure of this Paper. In Section2, we provide a detailed description of the OAuth 2.0 protocol.In Section3 we present the attacks that we found during our analysis. An overview of the genericweb model we build upon in our analysis is provided in Section4, with the formal analysis of OAuthpresented in Section5. Related work is discussed in Section6. We conclude in Section7. We show howthe attacks can be applied to OpenID Connect in AppendixA. Full details, in particular regarding ourmodeling of OAuth 2.0 and the proof, can be found in the appendicesB– G.

5

2. OAuth 2.0

In this section, we provide a detailed description of OAuth.We here describe in detail all four modes ofOAuth.

OAuth was first intended forauthorization, i.e., the users authorize RPs to access user data (calledprotected resources) at IdPs. For example, a user can use OAuth to authorize services such as IFTTT3

to access her (private) timeline on Facebook. In this case, IFTTT is the RP and Facebook the IdP.Roughly speaking, in the most common modes, OAuth works as follows. If a user wants to authorize

an RP to access some of the user’s data at an IdP, the RP redirects the user (the user’s browser) to theIdP where the user authenticates and agrees to grant the RP access to some of her user data at the IdP.Then, along with some token (an authorization code or an access token) issued by the IdP, the user isredirected back to the RP. The RP can then use the token as a credential at the IdP to access the user’sdata at the IdP.

OAuth is also commonly used forauthentication, although it was not designed with authenticationin mind. A user can, for example, use her Facebook account, with Facebook being the IdP, to log in atthe social network Pinterest, being the RP. Typically, in order to log in, the user authorizes the RP toaccess a unique user identifier at the IdP. The RP then retrieves this identifier and considers this user tobe logged in.

We now first provide some preliminary information regardingOAuth and then present the details ofthe four modes of OAuth.

2.1. Preliminaries

Endpoints. In OAuth, RPs and IdPs have to provide certain URIs to each other. The parties andservices these URIs point to are calledendpoints; often the URIs themselves are called endpoints. AnIdP provides anauthorization endpointat which the user can authenticate to the IdP and authorize anRP to access her user data. The IdP also provides atoken endpointat which the RP can request accesstokens. An RP provides one or moreredirection endpointsto which the user’s browser gets redirectedby an IdP after the user authenticated to the IdP. The URIs of the endpoints are not fixed by the standard,but are communicated when RPs register at IdPs, as describedbelow.

The OAuth standard [13] and the accompanying security recommendations [19] suggest that all end-points use HTTPS. We follow this recommendation in our analysis of OAuth.

Registration. Before an RP can interact with an IdP, the RP needs to be registered at the IdP. The detailsof the registration process are out of the scope of the OAuth protocol. In practice, this process is usuallya manual task. During the registration process, the IdP assigns to the RP a fixed OAuth client id andclient secret.4 The RP may later use the client secret to authenticate to the IdP. If the RP cannot keep theOAuth client secret confidential, e.g., if the RP is an in-browser app or a native application, the secretcan be omitted. Note that the OAuth client id is public information. It is, for example, revealed to usersin redirects issued by the RP.

Also, an RP registers one or more redirection endpoints at anIdP. As we will see below, in someOAuth modes, the IdP redirects the user’s browser to one of these redirect URIs. If more than oneredirect URI is registered, the RP must specify which redirect URI is to be used in each run of theOAuth protocol. For simplicity of presentation, we will assume that an RP always specifies its choice,although this can be omitted if there exits only one (fixed) redirect URI. Note that (depending on the

3IFTTT (If This Then That) is a web service which can be used to automate actions: IFTTTis triggered by user-definedevents (e.g., Twitter messages) and carries out user-defined tasks (e.g., posting on the user’s Facebook wall).

4Recall that in the terminology of the OAuth standard the term“client” stands for RP.

6

implementation of an IdP) an RP may also register a pattern asa redirect URI and then specify the exactredirect URI during the OAuth run. In this case, the IdP checks if the specified redirect URI matchesthis pattern.

During the registration process, the (fixed) endpoints belonging to an IdP are configured at an RP aswell.

Our analysis presented in Section5 covers all the above mentioned options: absence and presence ofclient secrets, specified redirect URIs, and URI patterns.

Login Sessions.As mentioned before, in some OAuth modes, an RP redirects theuser’s browser toan IdP which later redirects the browser back to the RP. In order to prevent cross-site request forgery(CSRF) attacks, the RP typically establishes a session withthe browser before the first redirect. TheOAuth standard recommends that an RP selects the so-calledstateparameter and binds this value tothe session, e.g., by choosing a fresh nonce and storing the nonce in the session state. When the userlater gets redirected back to the RP, thestatevalue must be identical. The intention is that this valueshould always be unknown to an attacker in order to prevent CSRF attacks. In our analysis, we followthe recommendation of using thestateparameter.5

Further Recommendations and Options.The standard and the recommendations do not specify allimplementation details. For example, the precise user interaction with an RP, formatting details ofmessages, and the authentication of the user to an IdP (e.g.,user name and password or some othermechanism) are not covered. In our security analysis of OAuth we follow all OAuth security recommen-dations as well as common best practices for state-of-the-art web applications in order to avoid knownattacks.

OAuth allows RPs to specify whichscopeof the user’s data they are requesting access to at an IdP.The scopes themselves are not defined in the standard and are considered an implementation detail ofIdPs. Therefore, in our description and analysis of OAuth, we omit the scope parameter and assume thatthe user always grants full access to her data at the IdP.

2.2. OAuth Modes

OAuth can run in the following four major modes (calledgrant typesin the standard): authorization codemode, implicit mode, resource owner password credentials mode, and client credentials mode. Whilethe first two modes are very commonly used and similar to each other, the latter two modes are used lessoften and are different to the other modes and to each other.

We now describe these modes in detail. Contrary to our analysis, for simplicity of presentation, weonly consider a specific set of options in the following description. For example, we assume that an RPalways provides a redirect URI and shares an OAuth client secret with the IdP.

Authorization Code Mode. When the user tries to authorize an RP to access her data at an IdP or tolog in at an RP, the RP redirects the user’s browser to the IdP.The user authenticates to the IdP, e.g., byproviding user name and password, and is redirected back to the RP along with anauthorization codegenerated by the IdP. The RP then contacts the IdP with this authorization code (along with the client idand client secret) and receives anaccess token. The RP can then use the access token as a credential toaccess the user’s protected resources at the IdP.

Step-by-Step Protocol Flow.In what follows, we describe the protocol flow of the authorization codemode step-by-step (see also Figure1). First, the user starts the OAuth flow, e.g., by clicking on a

5Note that the OAuth standard [13] as well as the accompanying security recommendations [19] do not specify the sessionmechanism for RPs. In our analysis we assume the usual session mechanism with session cookies following common bestpractices. For more details, see Section5.1.

7

Browser RP IdP

/Browser /RP /IdP

1 POST /start

idp

2 Response

Redirect to IdP /authEP withclient_id, redirect_uri, state

3 GET /authEP

client_id, redirect_uri, state

4 Response

5 POST /authEP

username, password

6 Response

Redirect to RPredirect_uri with code, state

7 GET redirect_uri

code, state

8 POST /tokenEP

code, client_id, redirect_uri, client_secret

9 Response

access_token

Authorization:

10 GET /resource

access_token

11 Response

protected resource

Authentication:

12 GET /inspectionEP

access_token

13 Response

user_id, client_id

14 Response

session_cookie

Figure 1. OAuth 2.0 authorization code mode. Note that data depicted below the arrows is either transferred inURL parameters, HTTP headers, or POST bodies. For details see [13].

8

button to select an IdP, resulting in request1 being sent to the RP. The RP selects one of its redirectURIs redirect_uri (which will be used later in7 ) and a valuestate(as described above). The RP thenredirects the browser to the authorization endpoint at the IdP in 2 and 3 with its client_id, redirect_uri,andstateappended as parameters to the URI.6 The IdP then prompts the user to provide her usernameand password in4 . The user’s browser sends this information to the IdP in5 . If the user’s credentialsare correct, the IdP creates a noncecode(the authorization code) and redirects the user’s browser toRP’s redirection endpointredirect_uri in 6 and 7 with codeandstateappended as parameters to theredirection URI. Next, the RP contacts the IdP in8 and providescode, client_id, client_secret, andredirect_uri. Then the IdP checks whether this information is correct, i.e., it checks thatcodewas issuedfor the RP identified byclient_id, thatclient_secretis the correct secret forclient_id, thatredirect_uricoincides with the one in Step2 , and thatcodehas not been redeemed before. If these checks aresuccessful, the IdP issues an access tokenaccess_token in 9 . Now, the RP can useaccess_token toaccess the user’s protected resources at the IdP (authorization) or log in the user (authentication), asdescribed next.

When OAuth is used forauthorization, the RP uses the access token to view or manipulate the pro-tected resource at the IdP (illustrated in Steps10 and 11 ).

For authentication, the RP fetches a user id (which uniquely identifies the user at the IdP) using theaccess token as illustrated in Steps12 and 13 . Along with the user id, the RP also receives its OAuthclient id from the IdP. The RP checks if this client id is in fact the client id of the RP at the IdP. The RPthen issues a session cookie to the user’s browser as shown in14 .

We note that the IdP may also issue a so-calledrefresh tokenalong with the access token in Step9 .The RP may use the refresh token along with its credentials toobtain a fresh access token. The refreshtoken can be considered as a long-living access token, whilethe access token itself is only valid for alimited time.7

For brevity of presentation, in the remaining modes, explained below, we only consider authorization.The last steps for both authorization and authentication are analogous to those presented here.

Implicit Mode. This mode is a simplified version of the authorization code mode: instead of providingan authorization code to an RP, an IdP directly delivers an access token to the RP (via the user’s browser).

Step-by-Step Protocol Flow.We now provide a step-by-step description of the protocol flow (see alsoFigure 2). As in the authorization code mode, the user starts the OAuth flow, e.g., by clicking on abutton to select an IdP, triggering the browser to send request 1 to the RP. The RP selects the redirectURI redirect_uri (which will be used later in7 ) and a valuestate. The RP then redirects the browserwith its client_id, redirect_uri, andstateto the authorization endpoint at the IdP8 in 2 and 3 . The IdPprompts the user to enter her username and password in4 . The user’s browser sends this informationto the IdP in 5 . If the user’s credentials are correct, the IdP creates an access tokenaccess_tokenandredirects the user’s browser to the RP’s redirection endpoint redirect_uri in 6 and 7 , where the IdPappendsaccess_tokenand state to the fragment of the redirection URI. (Recall that a fragment is aspecial part of a URI indicated by the ‘#’ symbol. When the browser opens a URI, the information in thefragment is not transferred to the server.) Hence, in Step7 access_tokenandstateare not transferred tothe RP. To retrieve these values, the RP in8 delivers a document containing JavaScript code. It retrievesaccess_tokenandstatefrom the fragment and sends these to the RP in9 . The RP then checks ifstate

6Note that also a fixed string “code” indicating to the IdP that authorization code mode is used is appended as a parameterto the URI.

7In our analysis, we do not explicitly consider refresh tokens. Instead we overapproximate access tokens in that they donot expire, and hence, we make these tokens long-living themselves. Note that refresh tokens are less powerful than suchaccess tokens in the sense that refresh tokens are only useful in combination with the credentials of the appropriate RP.

8Note that also a fixed string “token” indicating to the IdP that implicit mode is used is appendedas a parameter to theURI.

9

Browser RP IdP

/Browser /RP /IdP

1 POST /start

idp

2 Response

Redirect to IdP /authEP withclient_id, redirect_uri, state

3 GET /authEP


4 Response

5 POST /authEP

username, password

6 Response

Redirect to RPredirect_uri, fragment: access_token, state

7 GET redirect_uri

8 Response

9 POST /token

access_token, state

10 GET /resource

access_token

11 Response

protected resource

Figure 2. OAuth 2.0 implicit mode

10

Browser RP IdP

/Browser /RP /IdP

1 POST /start

idp, username, password

2 POST tokenEP

username, password, client_id, client_secret

3 Response

access_token

4 GET /resource

access_token

5 Response

protected resource

Figure 3. OAuth 2.0 resource owner password credentials mode

is the same as above. Just as in the authorization code mode, the RP can now useaccess_token forauthorization (illustrated in Steps10 and 11 ); authentication is analogous to Steps12 , 13 , and 14 ofFigure1.

For authentication, note that the response from the IdP includes the RP’s OAuth client id, which isalso checked by the RP. This check prevents re-usage of access tokens across RPs in the OAuth implicitmode as explained in [29].

We note that in the implicit mode, an IdP cannot verify the identity of the receiver of the access token,as an RP does not authenticate itself to the IdP (usingclient_secret). Hence, this mode is more suitablefor RPs that do not have access to a secure, long-lived storage (for aclient_secret) such as in-browserapplications.

Resource Owner Password Credentials Mode.In this mode, the user gives her credentials for an IdPdirectly to an RP. The RP can then authenticate to the IdP on the user’s behalf and retrieve an accesstoken. The resource owner password credentials mode is intended for highly-trusted RPs, such as theoperating system of the user’s device or highly-privilegedapplications, or if the previous two modes arenot possible to perform (e.g., for applications without a web browser). In the following, we assume thatthe authorization/login process is started by the user using a web browser.

Step-by-Step Protocol Flow.We now provide a step-by-step description of the resource owner passwordcredentials mode (see also Figure3): The user provides her username and password for the IdP to the RPin 1 . Now, the RP sends the username, the password, itsclient_id andclient_secret9 to the IdP in2 . TheIdP then issues an access tokenaccess_tokento the RP in 3 .10 Just as in the authorization code mode,the RP can now useaccess_tokenfor authorization (illustrated in Steps4 and 5 ) and authentication (asin Steps12 , 13 , and 14 of Figure1).

Client Credentials Mode. In contrast to the modes shown above, this mode works withoutthe user’sinteraction. Instead, it is started by an RP in order to fetchan access token to access RP’s own resources

9Note that in this mode, if an RP does not have an OAuth client secret for an IdP, theclient_secretandclient_id parametersarebothomitted in this request. This option is also covered by our analysis.

10As in the authorization code mode, an IdP may also issue a refresh token to the RP here.

11

Browser RP IdP

/Browser /RP /IdP

1 POST /tokenEP

client_id, client_secret

2 Response

access_token

3 GET /resource

access_token

4 Response

protected resource

Figure 4. OAuth 2.0 client credentials mode

at an IdP or to access resources at an IdP the RP is authorized to by other means. For example, Face-book allows RPs to use the client credentials mode to obtain an access token to access reports of theiradvertisements’ performance.

Step-by-Step Protocol Flow.The step-by-step description of the client credentials mode is as follows (seealso Figure4): First, the RP contacts the IdP with RP’sclient_id andclient_secretin 1 . The IdP nowissues anaccess_tokenin 2 . Just as in the authorization code mode, the RP can now useaccess_tokenfor authorization (illustrated in Steps3 and 4 ). In contrast to the other modes presented above, theaccess token is not bound to a specific user account, but only to the RP.

3. Attacks on OAuth 2.0 and OpenID Connect

As mentioned in the introduction, while trying to prove the security of OAuth, we discovered two previ-ously unknown attacks, which both apply to the authorization code mode as well as the implicit mode.We call these attacks307 redirect attackandIdP mix-up attack, respectively. In this section, we providedetailed descriptions of these attacks along with fixes which are easy to implement. Our formal analysisof OAuth (see Section5) then shows that these fixes are indeed sufficient to establish the security ofOAuth. As mentioned in the introduction, the attacks on OAuth also apply to OpenID Connect. Sincein this paper the main focus is on OAuth, we only briefly present OpenID Connect and the attacks onthis protocol in Section3.3and AppendixA. Figure5 provides an overview of where the attacks apply.We have verified our attacks on an implementation of OAuth andOpenID Connect and reported bothattacks to the respective working groups, who confirmed the attacks and adopted our fixes.

3.1. Attack: 307 Redirect

In this attack, the attacker (running a malicious RP) learnsthe user’s credentials when the user logs in atan IdP that uses the wrong HTTP redirection status code.

Assumptions. We assume that (1) the user wants to log in at a malicious RP (orauthorize a maliciousRP to access protected resources). Besides providing some (harmless) services, this RP collects all datait receives. We further assume that (2) the IdP that is used for the login chooses the wrong HTTP statuscode (307) when redirecting the user’s browser in Step6 of the authorization code mode (Figure1)

12

OAuth OpenID Connectauth. code implicit auth. code implicit hybrid

mode mode mode mode mode

307 Redirect Attackauthorization broken yes yes yes yes yesauthentication broken yes yes yes yes yes

IdP Mix-Up Attackauthorization broken yes* yes yes* yes**authentication broken yes yes yes yes**

Figure 5. Attacks on OAuth 2.0 and OpenID Connect: Overview. The attacks are not applicable to resource ownerpassword credentials mode or client credentials mode. (*):if OAuth client credentials are not used. (**): if OAuthclient secrets are not used, and otherwise, if such credential are used, then either authorization or authentication isbroken, depending on implementation details, see AppendixA.

or in Step 6 of the implicit mode (Figure2). Finally, we assume that (3) the IdP redirects the userimmediately after the user entered her credentials (i.e., in the response to the HTTP POST request thatcontains the form data sent by the user’s browser).

Assumption (1).This assumption is obviously reasonable. It cannot be assumed that all RPs where someusers log in behave honestly.

Assumption (2).This assumption is reasonable because neither the OAuth standard [13] nor the OAuthsecurity considerations [19] (nor the OpenID Connect standard [23]) specify the exact method of howto redirect. The OAuth standard rather explicitly permits any HTTP redirect:

While the examples in this specification show the use of the HTTP 302 status code, anyother method available via the user-agent to accomplish this redirection is allowed and isconsidered to be an implementation detail.

Assumption (3).This assumption is reasonable as many examples for redirects immediately after enter-ing the user credentials can be found in practice, for example atgithub.com. (GitHub is not vulnerableto the attack presented here, as assumption (2) is not satisfied in this case.)

Attack. When the user uses OAuth (or OpenID Connect, see Section3.3) to log in at this RP, the useris redirected to the IdP and prompted to enter her credentials. The IdP then receives these credentialsfrom the user’s browser in a POST request. It checks the credentials and redirects the user’s browserto the RP’s redirection endpoint in the response to the POST request. Since the 307 status code is usedfor this redirection, the user’s browser will send a POST request to RP that contains all form data fromthe previous request, including the user credentials. Since the RP is run by the attacker, it can use thesecredentials to impersonate the user.

Fix. Contrary to the current wording in the OAuth standard, the exact method of the redirect is notan implementation detail but essential for the security of OAuth. In the HTTP standard [12], onlythe 303 redirect is defined unambigiously to drop the body of an HTTP POST request.All other HTTPredirection status codes, including the most commonly used302, leave the browser the option to preservethe POST request and the form data. In practice, browsers typically rewrite to a GET request, therebydropping the form data, except for 307 redirects. Therefore, the OAuth standard should require 303redirects for the steps mentioned above in order to fix this problem.

3.2. Attack: IdP Mix-Up

In this attack, the attacker confuses an RP about which IdP the user chose at the beginning of thelogin/authorization process in order to acquire an authentication code or access token which can be used

13

Browser RP Attacker (AIdP) HIdP

/Browser /RP /Attacker (AIdP) /HIdP

1 POST /start

idp

2 POST /start

attacker

3 Response

Redirect to Attacker /authEP withclient_id′, redirect_uri, state

4 Response

Redirect to HIdP /authEP withclient_id, redirect_uri, state

5 GET /authEP


6 Response

7 POST /authEP

username, password

8 Response

Redirect to RPredirect_uri, fragment: access_token, state

9 GET redirect_uri

10 Response

11 POST /token

access_token, state

12 GET /resource

access_token

Continued attack to break authentication:

13 POST /start

idp

14 Response

Redirect to HIdP /authEP withclient_id, redirect_uri, state′

15 POST /token

access_token, state′

16 GET /inspectionEP

access_token

17 Response

user_id, client_id

18 Response

session_cookie

Figure 6. Attack on OAuth 2.0 implicit mode

14

to impersonate the user or access user data.Just as the previous attack, the IdP mix-up attack applies tothe authorization code mode and the

implicit mode of OAuth. To launch the attack, the attacker manipulates the first request of the user suchthat the RP thinks that the user wants to use an identity managed by an IdP of the attacker while the userinstead wishes to use her identity managed by an honest IdP. As a result, the RP sends the authorizationcode or the access token (depending on the OAuth mode) issuedby the honest IdP to the attacker, whothen can use these values to login at the RP under the user’s identity (managed by the honest IdP) oraccess the user’s protected resources at the honest IdP.

In what follows, we refer to the IdP run by the attacker by AIdPand the honest IdP by HIdP.We present the attack in the implicit mode. The attack for theauthorization code mode is very similar

and is presented briefly at the end of this section.

Assumptions. For the IdP mix-up attack to work, we need two assumptions (see below for furtherdiscussion and explanation): (1) the presence of a network attacker who can manipulate the request inwhich the user sends her identity to the RP as well as the corresponding response to this request (seeSteps 1 and 2 in Figure2),11 and (2) an RP which allows users to log in with identities provided by(some) HIdP and identities provided by AIdP. We emphasize that we do not assume that the user sendsany secret (such as passwords) over an unencrypted channel.

Assumption (1).It would be unrealistic to assume that a network attacker cannever manipulate Steps1and 2 in Figure2.

First, many RPs might not require this request to be HTTPS since no sensitive user data is transferredat this point of the protocol, and hence, an RP might not see the need for encrypted communication forthis request. Note that the user only selects an IdP at this point; credentials are not sent. Moreover, theuse of HTTPS for this step is not suggested by the OAuth security recommendations.

Second, even if an RP intends to use HTTPS also for the first request (as in our model), the attackercan intercept the initial (often unencrypted) request fromthe user to the RP and alter all links fromHTTPS to HTTP and remove any redirections to HTTPS URLs (a technique known as SSL stripping).This interception would fail only if the user accesses the website of the RP using HTTPS from the verybeginning (e.g., by entering the URL manually), if RP has seta Strict Transport Security (STS) headerin an earlier communication with the browser and this is not circumvented by the attacker (see [25]), orif the RP domain would be included in a browser preloaded STS list [7]. It is, however, unrealistic toassume that all RPs are always protected in one of these ways.

We emphasize that our formal analysis presented in Section5 shows that OAuth can be operatedsecurely even if no HTTPS is used for the initial request (given that our fix, presented below, is applied).

We also note that when intercepting the response in Step2 as discussed here, the attacker could alsoread the session identifier for the session that the user’s browser has established with the RP. Our attack,however, is not based on this possibility and works even if the RP later (at a point where the protocol isprotected by HTTPS) changes this session identifier as soon as the user is logged in (a best practice forsession management).

Assumption (2).This assumption also conforms with the OAuth standard as RPsmay use differentIdPs. And hence, OAuth should provide security in this case.From the point of view of how OAuth istypically deployed in practice, this assumption might seemunrealistic at first: OAuth RP deploymentstypically consider only one or two selected (and hopefully trusted) IdPs. OAuth forms, however, thebasis for OpenID Connect. There, using the dynamic client registration extension, RPs can dynamicallyestablish an OAuth registration with any IdP. This enables the ad-hoc use of any IdP in OpenID Connect,

11Note that to manipulate these two messages the network attacker needs to only be able to intercept the communicationbetween the user and the RP (e.g., using ARP spoofing in a wifi network). Importantly, he does not need to intercept messagesexchanged between servers.

15

including malicious IdPs. See Section3.3and AppendixA for details on how the IdP mix-up attack canbe carried out on OpenID Connect in practice.

Attack. We now describe the attack on the OAuth implicit mode in detail. As mentioned, a very similarattack also applies to the OAuth authorization code mode andboth attacks even work if IdP supportsjust one of these two modes, rather than both or all four OAuthmodes. Note that these two modes arethe most common modes in practice.

Attack on Implicit Mode.The IdP mix-up attack for the implicit mode is depicted in Figure 6. Just asin the implicit mode, the attack starts when the user selectsthat she wants to log in using HIdP (Step1

in Figure 6). Now, the attacker intercepts the request intended for theRP and modifies the contentof this request by replacing HIdP by AIdP. The response of theRP 3 (containing a redirect to AIdP)is then again intercepted and modified by the attacker such that it redirects the user to HIdP4 . Theattacker also replaces the OAuth client id of the RP at AIdP with the client id of the RP at HIdP.12 (Notethat we assume that from this point on, in accordance with theOAuth security recommendations, thecommunication between the user’s browser and HIdP and the RPis encrypted by using HTTPS, and thus,cannot be inspected or altered by the attacker.) The user then authenticates to HIdP and is redirectedback to the RP8 . The RP, however, still assumes that the access token contained in this redirect is anaccess token issued by AIdP, rather than HIdP. The RP therefore now uses this access token to retrieveprotected resources of the user (or the user id) at AIdP12 , rather than HIdP. This leaks the access tokento the attacker who can now access protected resources of theuser at IdP. This breaks the authorizationproperty (see Section5.2 below). (We note that at this point, the attacker might even provide falseinformation about the user or her protected resources to theRP.)

To break authentication and impersonate the honest user, the attacker now starts a new login process(using his own browser) at the RP. In13 he selects HIdP as the IdP for this login process. He receivesa redirect to HIdP, which he skips.13 The attacker now sends the access tokenaccess_tokencaptured inStep 12 to the RP imitating a real login15 . The RP now uses this access token to retrieve the user idat HIdP 16 and receives the (honest) user’s id as well as its own OAuth client id 17 . Being convincedthat the attacker owns the honest user’s account, the RP issues a session cookie for this account to theattacker 18 . As a result, the attacker is logged in at the RP under the honest user’s id. This breaks theauthentication property of OAuth (see Section5.2below).

Attack on Authorization Code Mode.A similar attack can be applied to the authorization code modeof OAuth. This attack is based on the same assumptions as the attack on the implicit mode. First, theattacker applies the same modifications to the request from the browser to the RP and its response toinitiate an OAuth flow. Recall that in the authorization codemode, RP receives an authorization codeinstead of an access token. The RP then sends this authorization code to the token endpoint of AIdP (inorder to request an access token). If the RP does not have a client secret registered at HIdP, the attackercan redeem this authorization code at HIdP in order to receive an access token to access the honest user’sprotected resources at HIdP. In this case, the authorization property of OAuth (see Section5.2below) isbroken.

Alternatively, the attacker can break the authentication property for OAuth as follows: The attackerstarts a new OAuth flow with the RP using his own browser and selecting HIdP as the IdP. He thenreceives a redirect from the RP to HIdP to authenticate himself. He omits the interaction with HIdP andsends a request to the RP’s redirection endpoint containingthe authorization code. As this authorizationcode has not been redeemed before at HIdP, the code is still valid. Hence, when the RP requests anaccess token with this authorization code at HIdP, HIdP issues such an access token to the RP. The RP

12As mentioned above, OAuth client ids are public information.13Note that this redirect contains (besides a cookie for a new login session) a fresh state parameter, saystate′. The attacker

will use this information in subsequent requests to the RP.

16

retrieves user information with this access token at HIdP, receives the user identifier for the user underattack and considers the attacker to be logged in as this user. (Note that the attacker does not learn anaccess token in this case.)

Fix. A fundamental problem in the implicit mode of the OAuth standard (and similarly for the autho-rization code mode) is that the redirect in Steps6 and 7 in Figure2 does not contain information fromwhere the redirect was initiated. And hence, the RP cannot check whether the information contained inthe redirect stems from the IdP that was indicated in Step1 .

Our fix therefore is to include the identity of the IdP in the redirect in some form. More specifically,we propose that RPs provide a unique redirection endpoint for each IdP. Hence, the information whichIdP redirected the browser to the RP is encoded in the requestand the RP can detect a mismatch. Notethat the communication at this point in the protocol is secured with HTTPS (when following the OAuthsecurity recommendations) and cannot be manipulated by theattacker. We show in Section5 that thisfix is indeed sufficient. In addition, one could try to preventthe IdP mix-up directly at the beginningof the protocol. (Nonetheless, in any case the RP should be able to check consistency in Step7 .) Wehave not considered such additional countermeasures because, as we show, our fix is sufficient for thesecurity of OAuth (as far as authorization and authentication goes).

3.3. Implications to OpenID Connect

Both, the 307 redirect attack and the IdP mix-up attack, can be applied to OpenID Connect as well.OpenID Connect [23] is a standard for authentication built on top of the OAuth protocol. It was pub-

lished only recently. Among others, OpenID Connect is already used in practice by PayPal, Google, andMicrosoft. OpenID Connect uses the same concept for authentication as described above and supportsretrieval of a unique user identifier and further meta data.

We here give a brief overview of OpenID Connect and how the attacks apply to this protocol. Adetailed description can be found in AppendixA.

OpenID Connect defines anauthorization code mode, an implicit mode, and ahybrid mode. Theformer two are based on the corresponding OAuth modes and thelatter is a combination of the twomodes.

OpenID Connect consists of a core protocol and (optional) extensions, such asdiscovery[24] anddynamic client registration[22]. Both extensions are used to fully automate the registration processbetween the relying party and the identity provider. This means that, using these extensions, any RP canregister dynamically at any IdP. This is triggered, for example, when a user wishes to authenticate withan IdP that the RP is not registered at.

In addition to an access token, OpenID Connect uses a so-called id token. The id token is issued bythe IdP along with the access token and contains a unique useridentifier and additional meta data, suchas the intended receiver (the RP) of the id token and the issuer of the id token (the IdP). The id token is(optionally) signed by the IdP.

307 Redirect Attack in OpenID Connect.This attack applies to OpenID Connect in exactly the same wayas described above. The vulnerable steps are identical in OAuth and OpenID Connect.

IdP Mix-Up Attack in OpenID Connect.In OpenID Connect, the mix-up attack applies to the authoriza-tion code mode and the hybrid mode. In the authorization codemode, the attack is very similar to theattack on the OAuth authorization code mode. In the hybrid mode, the attack is more complicated asadditional security measures have to be circumvented by theattacker. In particular, it must be ensuredthat the RP does not detect that the issuer of the id token is not the honest IdP. Interestingly, in the hybridmode, depending on an implementation detail of the RP, either authorization or authentication is broken(or both if no client secret is used).

17

For details on OpenID Connect and how the attacks can be executed in OpenID Connect see Ap-pendixA.

3.4. Verification

We have verified both attacks onmod_auth_openidc, an implementation of an OpenID Connect (andtherefore also OAuth) RP.

We notified the developers ofmod_auth_openidcand reported both attacks to the OAuth and OpenIDConnect working groups, who confirmed that changes to the standard (and recommendations) are neededto mitigate the attacks.

4. Generic Web Model

Our formal security analysis of OAuth is based on the generalDolev-Yao style web model proposedby Fett et al. in [8], with extensions presented in [11]. This web model is designed independentlyof a specific web application and closely mimics published (de-facto) standards and specifications forthe web. Based on a general communication model, the model specifies web systems, which containbrowsers, DNS servers, and web servers as well as web and network attackers.

Here, we only briefly recall this model (see the mentioned papers for a full description).

4.1. Communication Model

The main entities in the communication model areatomic processes, which are used to model webbrowsers, web servers, DNS servers as well as web and networkattackers. Each atomic process listensto one or more (IP) addresses. A set of atomic processes formswhat is called asystem. Atomic processescan communicate via events, which consist of a message as well as a receiver and a sender address. Inevery step of a run, one event is chosen non-deterministically from the current “pool” of events and isdelivered to one of the atomic processes that listens to the receiver address of that event. The atomicprocess can then process the event and output new events, which are added to the pool of events, and soon. More specifically, messages, processes, etc. are definedas follows.

Terms, Messages and Events.As usual in Dolev-Yao models (see, e.g., [1]), messages are expressed asformal terms over a signature. The signatureΣ for the terms and messages considered in the web modelcontains, among others, constants (such as (IP) addresses,ASCII strings, and nonces), sequence and pro-jection symbols, and further function symbols, including those for (a)symmetric encryption/decryptionand digital signatures. Messages are defined to be ground terms (terms without variables). For example,pub(k) denotes the public key which belongs to the private keyk. To provide another example of a mes-sage, in the web model, an HTTP request is represented as a ground term containing a nonce, a method(e.g.,GET or POST), a domain name, a path, URL parameters, request headers (such asCookie), and amessage body. For instance, an HTTPGET request for the URLhttp://ex.com/show?p=1 is modeledas the term

r := 〈HTTPReq,n1,GET,ex.com,/show,〈〈p,1〉〉,〈〉,〈〉〉 ,

where headers and body are empty. An HTTPS request forr is of the formenca(〈r,k′〉,pub(kex.com)),wherek′ is a fresh symmetric key (a nonce) generated by the sender of the request (typically a browser);the responder is supposed to use this key to encrypt the response.

Eventsare terms of the form〈a, f ,m〉 wherea and f are receiver/sender (IP) addresses, andm is amessage, for example, an HTTP(S) message as above or a DNS request/response.

18

http://ex.com/show?p=1

Theequational theoryassociated with the signatureΣ is defined as usual in Dolev-Yao models. Thetheory induces a congruence relation≡ on terms. It captures the meaning of the function symbolsin Σ. For instance, the equation in the equational theory which captures asymmetric decryption isdeca(enca(x,pub(y)),y) = x. With this, we have that, for example,

deca(enca(〈r,k′〉,pub(kex.com)),kex.com)≡ 〈r,k

′〉 ,

i.e., these two terms are equivalent w.r.t. the equational theory.

Atomic Processes, Systems and Runs.Atomic Dolev-Yao processes, systems, and runs of systems aredefined as follows.

An atomic Dolev-Yao (DY) processis a tuple

p= (I p,Zp,Rp,sp0)

whereI p is the set of addresses the process listens to,Zp is a set of states (formally, terms),sp0 ∈ Zp is

an initial state, andRp is a relation that takes an event and a state as input and (non-deterministically)returns a new state and a sequence of events. This relation models a computation step of the process,which upon receiving an event in a given state non-deterministically moves to a new state and outputsa set of events. It is required that the events and states in the output can be computed (more formally,derived in the usual Dolev-Yao style) from the current inputevent and state. An atomic process mayalso create fresh nonces in a computation step.

The so-calledattacker processis an atomic DY process which records all messages it receives andoutputs all events it can possibly derive from its recorded messages. Hence, an attacker process is themaximally powerful DY process. It carries out all attacks any DY process could possibly perform and isparametrized by the set of sender addresses it may use. Attackers may corrupt other DY processes (e.g.,a browser).

A systemis a set of atomic processes. Aconfiguration(S,E,N) of this system consists of the currentstates of all atomic processes in the system (S), the pool of waiting events (E), and the mentionedsequence of unused nonces (N).

A run of a system for an initial sequence of eventsE0 is a sequence of configurations, where eachconfiguration (except for the initial one) is obtained by delivering one of the waiting events of the pre-ceding configuration to an atomic processp (which listens to the receiver address of the event), whichin turn performs a computation step according to its relation Rp. The initial configuration consists of theinitial states of the atomic processes, the sequenceE0, and an initial infinite sequence of unused nonces.

Scripting Processes.The web model also defines scripting processes, which model client-side scriptingtechnologies, such as JavaScript.

A scripting process(or simply, ascript) is defined similarly to a DY process. It is called by the browserin which it runs. The browser provides it with state information s, and the script then, according to itscomputation relation, outputs a terms′, which represents the new internal state and some commandwhich is interpreted by the browser (see also below). Again,it is required that a script’s output isderivable from its input.

Similarly to an attacker process, the so-calledattacker script Ratt may output everything that is deriv-able from the input.

4.2. Web System

A web system formalizes the web infrastructure and web applications. Formally, aweb systemis a tuple

(W,S ,script,E0)

19

with the following components:

• The first component,W, denotes a system (a set of DY processes as defined above) and containshonest processes, web attacker, and network attacker processes. While a web attacker can listento and send messages from its own addresses only, a network attacker may listen to and spoof alladdresses (and therefore is the maximally powerful attacker). Attackers may corrupt other parties.In the analysis of a concrete web system, we typically have one network attacker only and noweb attackers (as they are subsumed by the network attacker), or one or more web attackers butthen no network attacker. In analysis of OAuth we consider network attackers. Honest processescan either be web browsers, web servers, or DNS servers. The modeling of web servers heavilydepends on the specific application. The web browser model, which is independent of a specificweb application, is presented below.

• The second component,S , is a finite set of scripts, including the attacker scriptRatt. In a concretemodel, such as our OAuth model, the setS \ {Ratt} describes the set of honest scripts used inthe web application under consideration while malicious scripts are modeled by the “worst-case”malicious script,Ratt.

• The third component,script, is an injective mapping from a script inS to its string representationscript(s) (a constant inΣ) so that it can be part of a messages, e.g., an HTTP response.

• Finally, E0 is a sequence of events, which always contains an infinite number of events of the form〈a,a,TRIGGER〉 for every IP addressa in the web system.

A run of the web system is a run ofW initiated byE0.

4.3. Web Browsers

We now sketch the model of a web browser. A web browser is modeled as a DY process(I p,Zp,Rp,sp0).

An honest browser is thought to be used by one honest user, whois modeled as part of the browser.User actions are modeled as non-deterministic actions of the web browser. For example, the browseritself non-deterministically follows the links in a web page. User data (i.e., passwords and identities) isstored in the initial state of the browser and is given to a webpage when needed, similar to the AutoFillfeature in browsers.

Besides the user identities and passwords, the state of a webbrowser (modeled as a term) containsa tree of open windows and documents, lists of cookies, localStorage and sessionStorage data, a DNSserver address, and other data.

In the browser state, thewindowssubterm is the most complex one. It contains a window subtermfor every open window (of which there may be many at a time), and inside each window, a list ofdocuments, which represent the history of documents that have been opened in that window, with oneof these documents being active, i.e., this document is presented to the user and ready for interaction.A document contains a script loaded from a web server and represents one loaded HTML page. Adocument also contains a list of windows itself, modeling iframes. Scripts may, for example, navigateor create windows, send XHRs and postMessages, submit forms, set/change cookies, localStorage, andsessionStorage data, and create iframes. When activated, the browser provides a script with all datait has access to, such as a (limited) view on other documents and windows, certain cookies as well aslocalStorage and sessionStorage.

Figure7 shows a brief overview of the browser relationRp which defines how browsers behave. Forexample, when aTRIGGERmessage is delivered to the browser, the browser non-deterministically chosesan action. If, for instance, this action is 1, then an active document is selected non-deterministically,

20

PROCESSINGINPUT MESSAGEm

m= FULLCORRUPT: isCorrupted:= FULLCORRUPT

m= CLOSECORRUPT: isCorrupted:= CLOSECORRUPT

m= TRIGGER: non-deterministically chooseactionfrom {1,2,3}

action= 1: Call script of some active document.Outputs new state andcommand.

command= HREF: → Initiate request

command= IFRAME: Create subwindow,→ Initiate request

command= FORM: → Initiate request

command= SETSCRIPT: Change script in given document.

command= SETSCRIPTSTATE: Change state of scriptin given document.

command= XMLHTTPREQUEST:→ Initiate request

command= BACK or FORWARD: Navigate given window.

command= CLOSE: Close given window.

command= POSTMESSAGE: Send postMessage tospecified document.

action= 2:→ Initiate request to some URL in new window

action= 3:→ Reload some document

m= DNS response: send corresponding HTTP request

m= HTTP(S) response: (decrypt,) find reference.

reference to window:create document in window

reference to document:add response body to document’sscript input

Figure 7. The basic structure of the web browser relationRp with an extract of the most important processingsteps, in the case that the browser is not already corrupted.

and its script is triggered. The script (with inputs as outlined above), can now output a command, forexample, to follow a hyperlink (HREF). In this case, the browser will follow this link by first creating anew DNS request. Once a response to that DNS request arrives,the actual HTTP request (for the URLdefined by the script) will be sent out. After a response to that HTTP request arrives, the browser createsa new document from the contents of the response. Complex navigation and security rules ensure thatscripts can only manipulate specific aspects of the browser’s state. Browsers can become corrupted, i.e.,be taken over by web and network attackers. The browser modelcomprises two types of corruption:close-corruption, modeling that a browser is closed by the user, and hence, certain data is removed (e.g.,session cookies and opened windows), before it is taken overby the attacker, andfull corruption, whereno data is removed in advance. Once corrupted, the browser behaves like an attacker process.

5. Analysis of OAuth 2.0

We now present our security analysis of OAuth (with the fixes mentioned in Section3 applied). We firstpresent our model of OAuth. We then formalize the security properties for authorization and authenti-cation and state the main theorem, namely the security of OAuth w.r.t. these properties. We also sketchthe proof of this theorem, with full details provided in Appendix G.

21

5.1. Model of OAuth 2.0

As mentioned above, our model for OAuth is based on the generic web model outlined in Section4.We developed the OAuth model to adhere to RFC6749, the OAuth 2.0 standard, and follow the securityconsiderations described in [19].

OAuth Options and Implementation Details. For the options and implementation details that are leftopen by the OAuth standard and the security considerations,we made the following design decisions:

OAuth Modes.As mentioned, the OAuth standard does not fix which subset of modes RPs and IdPsuse and support. We therefore model that every RP, IdP, and browser may run any of the fourOAuth modes, even simultaneously.

CSRF Protection.Thestateparameter is used with a freshly chosen nonce that is bound tothe user’ssession in order to prevent Cross-Site Request Forgery attacks on the RP. This is recommended bythe standard.

Redirection URLs.In a run of the protocol, the RP chooses a redirection URL explicitely or the IdPselects a redirection URL that was registered before. Redirection URLs can be defined usingpatterns. This covers all cases specified in the OAuth standard.

Client Secrets.Clients can, for a certain IdP, have a secret or not have a secret in our model. Andhence, both options in the OAuth standard regarding client secrets are captured in our model

Scope.As described in Section2.1, we assume that RPs always get full access to the user’s data atthe IdP.

HTTPS Endpoints.Following the security recommendations, all endpoint URLsuse HTTPS. Obvi-ously, IdPs or RPs do not register URLs that point to servers other than their own.

Session Mechanism.The OAuth standard and the OAuth security recommendations,as mentioned,do not prescribe a specific session mechanism to be used at an RP. Our model therefore includesa standard cookie-based session mechanism which follows best practices. For example, cookiesare always set as session cookies (the cookie is discarded when the browser window is closed),with the attributeHTTP only(the cookie value is not accessible by JavaScript), and, forHTTPSconnections,secure(the cookie value is only transmitted over HTTPS). After successful login atan RP, the RP starts a new session. In our model, this second session is modeled using aservicetokenthat is sent to the browser (see below).

Authentication to the IdP.User authentication to the IdP, which is not part of the OAuthstandard, isperformed using username and password. It is assumed that the user only ever sends her passwordover an encrypted channel and only to the IdP this password was chosen for (the user does notre-use her password for different IdPs).

Authentication to the RP.To log a user in, an RP typically requests a unique user identifier from anIdP, as already mentioned above. We follow this common practice also in our model.

General User Interaction.User interaction (entering the user identifier at the RP, user credentials atthe IdP) is modeled as simple as possible (i.e., regular HTMLforms).14

14Of course, this does not limit the possibilities for user interaction, as defined in the general web model. For example, theuser can at any time navigate backwards or forward in her browser history, or navigate to any web page.

22

Concepts Used in Our Model.In our model and the security properties, we use the following concepts:

Protected Resources.OAuth protected resources are an abstract concept for any resource an RP coulduse at an IdP after successful authorization. For example, if Facebook gives access to the friends list ofa user to an RP, this would be considered a protected resource. In our model, there is a mapping from(IdP, RP, identity) to protected resources, where the identity part can be⊥, modeling a resource that isacquired in the client credentials mode and thus not bound toa user.

Generic Model for Session Mechanisms.When OAuth is used for authentication, we assume that aftersuccessful login, the RP sends aservice tokento the browser. The intuition is that with this service tokena user can use the services of the RP. The service token consists of a nonce, the users identifier, andthe domain of the IdP which was used in the login process. The service token is a generic model forany session mechanism the RP could use to track the user’s login status (e.g., a cookie) since the actualsession mechanism used by the RPafter a successful login is out of the scope of OAuth and our analysis.In our model, the service token is not stored by the browser.

Trusted RPs.In our model, among others, a browser can choose to launch theresource owner passwordcredentials mode with any RP, causing this RP to know the password of the user. RPs, however, canbecome corrupted and thus leak the password to the attacker.Therefore, to define the security properties,we define the concept oftrusted RPs. Intuitively, this is a set of RPs a user entrusts with her password.(Formally, it is a mapping from passwords to sets of RPs, where every password belongs to a specificuser.) In particular, whether or not an RP is trusted dependson the considered user. In our securityproperties, when, for example, we state that an adversary should not be able to impersonate a useru in arun, we would assume that all trusted RPs ofu have not become corrupted in this run.

OAuth Web System (OWS ). We model OAuth as a web system (in the sense of Section4). We call aweb systemOWS = (W ,S ,script,E0) anOAuth web systemif it is of the form described in what follows.

Outline. The systemW = Hon∪Net consists of a network attacker (inNet), a finite setB of webbrowsers, a finite setRP of web servers for the RPs, a finite setIDP of web servers for the IdPs,with Hon := B∪RP∪ IDP. Recall that since we have a network attacker, we do not need to considerweb attackers (as our network attacker subsumes all web attackers). The setS consists of the scriptsscript_rp_index, script_rp_implicit, andscript_idp_form, with their respective string representations de-fined in script asscript_rp_index, script_rp_implicit, andscript_idp_form. The setE0 isdefined as described in Section4.2. We now briefly sketch the models of RPs, IdPs, and the scripts, withmore details provided in the appendix and full details provided in the appendix.

Relying Parties.Each relying party is a web server modeled as an atomic DY process following thedescription in Section2 and the fixes discussed in Section3. The RP can either (at any time) launcha client credentials mode flow or wait for users to start any ofthe other flows. RP manages two kindsof sessions: Thelogin sessions, which are used only during the login phase of a user, and theservicesessions(modeled by aservice tokenas described above).

When receiving the special messageCORRUPT an RP can become corrupted. Similar to the definitionof corruption for the browser, the RP then starts sending outall messages that are derivable from itsstate.

Identity Providers.Each IdP is a web server modeled as an atomic DY process following the descriptionin Section2 and the fixes discussed in Section3. In particular, users can authenticate to an IdP with theircredentials. Authenticated users can interact with the authorization endpoint of the IdP (e.g., to acquirean authorization code). Just as RPs, IdPs can become corrupted.

Scripts.The scripts which run in a user’s browser (and their respective string represenations) are definedas follows:

23

script_rp_index. This script is loaded from an RP into a user’s browser when the user visits RPs website. It starts the authorization or login process.

script_rp_implicit. This script is loaded into the user’s browser from an RP during an implicit modeflow to retrieve the data from the URL fragment. It extracts the access token and state from thefragment part of its own URL. The script then sends this information in the body of an HTTPSPOST request to the RP.

script_idp_form. This script is loaded from an IdP into the user’s browser andmodels the form wherethe user enters her credentials to authenticate to the IdP.

5.2. Authorization and Authentication Properties

Based on the formal OAuth model described above, we now formalize central security properties ofOAuth, namely authorization and authentication (see Appendix F for full details). We note that theseproperties do not capture the possibility that an attacker forcefully logs in a user under the attacker’saccount. This is indeed often possible in web applications as long as cookies are used in the loginprocess (see, e.g., [30]).

Authorization. Intuitively, authorization forOWS means that an attacker should not be able to obtain aprotected resource available to some honest RP at an IdP for some user unless certain parties involvedin the authorization process are corrupted.

More formally, we say thatOWS is secure w.r.t. authorizationif the following holds true: if at anypoint in a run ofOWS an attacker can derive a protected resource available to some honest RPr at anIdP i for some useru, then the IdPi is corrupt or, ifu 6=⊥, we have that the browser ofu or at least oneof the trusted RPs ofu must be corrupted. Recall that ifu = ⊥, then the resource was acquired in theclient credentials mode, and hence, is not bound to a user.

Authentication. Intuitively, authentication forOWS means that an attacker should not be able to loginat an (honest) RP under the identity of a user unless certain parties involved in the login process arecorrupted. As explained above, being logged in at an RP undersome user identity means to haveobtained a service token for this identity from the RP.

More formally, we say thatOWS is secure w.r.t. authenticationif the following holds true: if at anypoint in a run ofOWS an attacker can derive the service token that was issued by anhonest RP usingsome IdPi for a useru, then the IdPi, the browser ofu, or at least one of the trusted RPs ofu must becorrupted.

5.3. Main Theorem

We prove the following theorem:

Theorem 1. Let OWS be an OAuth web system, thenOWS is secure w.r.t. authorization and securew.r.t. authentication.

Proof Outline (see AppendixG for the full proof). We first show three lemmas that apply to honestRPs and capture specific technical details. The first one saysthat, roughly speaking, messages transferredover HTTPS connections that were initiated by honest RPs cannot be read or altered by other parties. Inparticular, honest RPs do not leak the encryption keys to other parties. In the second lemma, we showthat HTTP(S) messages which await DNS resolution in an honest RP’s state are later sent out over thenetwork without being altered in between. In the third lemma, we show that honest RPs never send

24

HTTP messages to other RPs or themselves, and that they only send HTTPS messages that other RPscannot decrypt.

Authentication.We first prove the authentication property, which we do by contradiction. To this end,we show in three separate lemmas building on each other that (1) the attacker does not learn passwordsof the user, (2) the attacker does not learn authorization codes that could be used to learn a relevantaccess token, and (3) that the attacker in fact does not learnan access token that could be used to retrievea service token as described in the authentication property. We finally show that there is no other wayfor an attacker to get hold of a service token (of the kind described in the authentication property), andthat therefore, the authentication property must hold true.

Authorization. As above, we assume that the authorization property does nothold and lead this to acontradication. The proof then builds upon lemmas shown in the authentication proof. We show that theattacker would need to know an access token to acquire a protected resource. If the protected resourceis bound to a user (i.e., it was not issued in the client credentials mode), then (3) from above applies andshows that the attacker cannot learn such an access token, and thus cannot learn this protected resource.If the protected resource was not assigned to a user (i.e., itwas issued in the client credentials mode),then we can show that the attacker would need to know client secrets to get the protected resource. Weshow, however, that it is not possible for the attacker to learn the necessary client secrets (which arealways required in the client credentials mode). Therefore, whether it is a user-bound protected resourceor not, the attacker cannot learn it, leading our assumptionto a contradiction.

6. Related Work

As already mentioned in the introduction, security analysis of OAuth has so far concentrated on findingbugs in specific OAuth implementations, rather than on performing a detailed security analysis of theOAuth standard itself in a comprehensive web model.

In [4], Bansal, Bhargavan and Maffeis analyze the security of OAuth using the applied pi-calculusand the WebSpi library. They model settings of OAuth 2.0 thatcan be found in practice and assumethe presence of common web vulnerabilities such as Cross-Site Request Forgery and open redirectors inRPs and IdPs. Using this method, they identify previously unknown attacks (mostly CSRF attacks) onthe OAuth implementations of Facebook, Yahoo, and Twitter.The main goal of [4] was to find concretevulnerabilities in implementations that can arise when other vulnerabilities in RPs and IdPs are present.Also, compared to our work, the WebSpi model used in [4] is less expressive and comprehensive, andthe models of OAuth are more limited and aimed at specific implementations (for example, only onemode is considered at any time and malicious IdPs are not considered). While in [4] an automated toolis used to find the vulnerabilities, our work is based on manual proofs.

Wang et al. [29] present a systematic approach to find implicit assumptionsin SDKs (e.g., the Face-book PHP SDK) used for authentication and authorization, including SDKs that implement OAuth 2.0.

In [21], Pai et al. analyze the security of OAuth in a (limited) model that does not incorporate genericweb features. They show that using their approach, based on the Alloy finite-state model checker, knownweaknesses can be found. The same tool is used by Kumar [17] in a formal analysis of the olderOAuth 1.0 protocol (which, as mentioned in the introduction, is very different to OAuth 2.0).

Chari, Jutla, and Roy [5] analyze the security of the authorization code mode in the universally com-posability model, again without considering web features such as semantics of HTTP status codes, de-tails of cookies, or window structures inside a browser.

Besides these formal approaches, empirical studies were conducted on deployed OAuth implementa-tions. In [28], Sun and Beznosov analyze the security of three IdPs and 96 RPs. In [18], Li and Mitchell

25

study the security of 10 IdPs and 60 RPs based in China. In [6,26] practical evaluations on the securityof OAuth implementaions of mobile apps are performed.

In [20], Mladenov et al. perform an informal analysis of the OpenIDConnect extensions discoveryand dynamic client registration and present an attack whichassumes a CSRF vulnerability on the RP’sside. On a high level, this attack resembles the IdP mix-up attack when applied to OpenID Connect. It ex-ploits, however, a different flaw in the dynamic registration extension and is not applicable to OAuth 2.0.Mladenov et al. do not perform formal analysis and they do notconsider OAuth itself, which is the focusof our work.

Note that many of the works listed here led to improved security recommendations for OAuth as listedin RFC6749 [13] and RFC6819 [19] which are thus incorporated in our model of OAuth.

Altogether there have been only very few analysis efforts for web applications and standards based onformal web models. Besides those listed above, important work includes [2,3,8,10,11,16].

7. Conclusion

In this paper, we carried out the first formal analysis of OAuth 2.0 based on a comprehensive andexpressive web model. Our analysis, which aimed at the standard itself, rather than specific OAuthimplementations and deployments, comprises all modes (grant types) of OAuth and available optionsand also takes malicious RPs and IdPs as well as corrupted browsers/users into account. The genericweb model underlying our model of OAuth and its analysis is the most comprehensive web model todate.

Our in-depth analysis revealed two previously unknown attacks on OAuth as well as OpenID connect,which builds on OAuth. We have verified both attacks on an actual implementation and reported bothattacks, along with propositions for fixes, to the respective working groups for OAuth and OpenIDConnect. The working groups confirmed the attacks and adopted our fixes.

With the fixes applied, we were able to prove strong authorization and authentication properties forOAuth 2.0. This, in particular, shows that OAuth, when implemented correctly, can provide authoriza-tion and authentication in practice even though it was not primarily designed for the latter. The fact thatOAuth is one of the most widely deployed authorization and authentication systems in the web makesour analysis particularly relevant.

As for future work, our formal analysis of OAuth offers a goodstarting point for the formal analysisof OpenID Connect, and hence, such an analysis is an obvious next step for our research.

Acknowledgment.This work was in part funded byDeutsche Forschungsgemeinschaft(DFG) throughGrant KU 1434/10-1.

References

[1] M. Abadi and C. Fournet. Mobile Values, New Names, and Secure Communication. InProceed-ings of the 28th ACM Symposium on Principles of Programming Languages (POPL 2001), pages104–115. ACM Press, 2001.

[2] D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of WebSecurity. InProceedings of the 23rd IEEE Computer Security FoundationsSymposium, CSF 2010,pages 290–304. IEEE Computer Society, 2010.

[3] C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Keys to the Cloud: Formal Analysisand Concrete Attacks on Encrypted Web Storage. In D. A. Basinand J. C. Mitchell, editors,

26

Principles of Security and Trust - Second International Conference, POST 2013, volume 7796 ofLecture Notes in Computer Science, pages 126–146. Springer, 2013.

[4] C. Bansal, K. Bhargavan, and S. Maffeis. Discovering Concrete Attacks on Website Authorizationby Formal Analysis. In S. Chong, editor,25th IEEE Computer Security Foundations Symposium,CSF 2012, pages 247–262. IEEE Computer Society, 2012.

[5] S. Chari, C. S. Jutla, and A. Roy. Universally ComposableSecurity Analysis of OAuth v2.0.IACRCryptology ePrint Archive, 2011:526, 2011.

[6] E. Y. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. OAuth Demystified for MobileApplication Developers. InProceedings of the 2014 ACM SIGSAC Conference on Computer andCommunications Security - CCS ’14, pages 892–903, 2014.

[7] Chromium Project. HSTS Preload Submission.https://hstspreload.appspot.com/.

[8] D. Fett, R. Küsters, and G. Schmitz. An Expressive Model for the Web Infrastructure: Definitionand Application to the BrowserID SSO System. In35th IEEE Symposium on Security and Privacy(S&P 2014), pages 673–688. IEEE Computer Society, 2014.

[9] D. Fett, R. Küsters, and G. Schmitz. Analyzing the BrowserID SSO System with Primary IdentityProviders Using an Expressive Model of the Web. Technical Report arXiv:1411.7210, arXiv, 2014.http://arxiv.org/abs/1411.7210.

[10] D. Fett, R. Küsters, and G. Schmitz. Analyzing the BrowserID SSO System with Primary IdentityProviders Using an Expressive Model of the Web. InComputer Security - ESORICS 2015 - 20thEuropean Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015,Proceedings, Part I, Lecture Notes in Computer Science, pages 43–65. Springer,2015.

[11] D. Fett, R. Küsters, and G. Schmitz. SPRESSO: A Secure, Privacy-Respecting Single Sign-OnSystem for the Web. InProceedings of the 22nd ACM SIGSAC Conference on Computer andCommunications Security, Denver, CO, USA, October 12-6, 2015, pages 1358–1369. ACM, 2015.

[12] R. Fielding (ed.) and J. Reschke (ed.). RFC7231 – Hypertext Transfer Protocol (HTTP/1.1): Se-mantics and Content. IETF. Jun. 2014.https://tools.ietf.org/html/rfc7231.

[13] D. Hardt (ed.). RFC6749 – The OAuth 2.0 Authorization Framework. IETF. Oct. 2012.https://tools.ietf.org/html/rfc6749.

[14] HTML5, W3C Recommendation. Oct. 28, 2014.

[15] P. Jones, G. Salgueiro, M. Jones, and J. Smarr. RFC7033 –WebFinger. IETF. Sep. 2013.https://tools.ietf.org/html/rfc7033.

[16] F. Kerschbaum. Simple Cross-Site Attack Prevention. In Third International Conference on Se-curity and Privacy in Communication Networks and the Workshops, SecureComm 2007, pages464–472. IEEE Computer Society, 2007.

[17] A. Kumar. Using automated model analysis for reasoningabout security of web protocols. InProceedings of the 28th Annual Computer Security Applications Conference on - ACSAC’12. As-sociation for Computing Machinery (ACM), 2012.

27

https://hstspreload.appspot.com/

http://arxiv.org/abs/1411.7210

https://tools.ietf.org/html/rfc7231



[18] W. Li and C. J. Mitchell. Security issues in OAuth 2.0 SSOimplementations. InInformationSecurity - 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014.Proceedings, pages 529–541, 2014.

[19] T. Lodderstedt (ed.), M. McGloin, and P. Hunt. RFC6819 –OAuth 2.0 Threat Model and SecurityConsiderations. IETF. Jan. 2013.https://tools.ietf.org/html/rfc6819.

[20] V. Mladenov, C. Mainka, J. Krautwald, F. Feldmann, and J. Schwenk. On the security of modernSingle Sign-On Protocols: OpenID Connect 1.0.CoRR, abs/1508.04324, 2015.

[21] S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. Formal Verification of OAuth 2.0 Using AlloyFramework. InCSNT ’11 Proceedings of the 2011 International Conference on CommunicationSystems and Network Technologies, pages 655–659. Proceedings of the International Conferenceon Communication Systems and Network Technologies, 2011.

[22] N. Sakimura, J. Bradley, and M. Jones. OpenID Connect Dynamic Client Reg-istration 1.0 incorporating errata set 1. OpenID Foundation. Nov. 8, 2014.http://openid.net/specs/openid-connect-registration-1_0.html.

[23] N. Sakimura, J. Bradley, M. Jones, B. de Medeiros, and C.Mortimore. OpenIDConnect Core 1.0 incorporating errata set 1. OpenID Foundation. Nov. 8, 2014.http://openid.net/specs/openid-connect-core-1_0.html.

[24] N. Sakimura, J. Bradley, M. Jones, and E. Jay. OpenID Connect Dis-covery 1.0 incorporating errata set 1. OpenID Foundation. Nov. 8, 2014.http://openid.net/specs/openid-connect-discovery-1_0.html.

[25] J. Selvi. Bypassing HTTP Strict Transport Security. InBlackhat (Europe) 2014, 2014.

[26] M. Shehab and F. Mohsen. Towards Enhancing the Securityof OAuth Implementations in SmartPhones. In2014 IEEE International Conference on Mobile Services. Institute of Electrical &Electronics Engineers (IEEE), jun 2014.

[27] SimilarTech. Facebook Connect Market Share and Web Usage Statistics. Last visited Nov. 7, 2015.https://www.similartech.com/technologies/facebook-connect.

[28] S.-T. Sun and K. Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysisof OAuth SSO Systems. In T. Yu, G. Danezis, and V. D. Gligor, editors, ACM Conference onComputer and Communications Security, CCS’12, pages 378–390. ACM, 2012.

[29] R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncov-ering Assumptions Underlying Secure Authentication and Authorization. InProceedings of the22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, pages 399–314.USENIX Association, 2013.

[30] X. Zheng, J. Jiang, J. Liang, H. Duan, S. Chen, T. Wan, andN. Weaver. Cookies Lack Integrity:Real-World Implications. In24th USENIX Security Symposium (USENIX Security 15), pages 707–721, Washington, D.C., Aug. 2015. USENIX Association.

A. OpenID Connect and the Attacks on this Standard

We here provide a more detailed description of the OpenID Connect standard as well as on the twoattacks, 307 redirect and IdP mix-up, on it.

28


http://openid.net/specs/openid-connect-registration-1_0.html

http://openid.net/specs/openid-connect-core-1_0.html

http://openid.net/specs/openid-connect-discovery-1_0.html

https://www.similartech.com/technologies/facebook-connect

Browser RP IdP

/Browser /RP /IdP

1 POST /start

email

2 GET /.wk/webfinger

email

3 Response

idp

4 GET /.wk/openid-configuration

5 Response

issuer, authEP, tokenEP, registrationEP, jwksURI, userinfoEP

6 POST registrationEP

redirect_uris

7 Response

client_id, client_secret

8 Response

Redirect to IdPauthEPwith client_id, redirect_uri, state

9 GET authEP


10 Response

11 POSTauthEP

username, password

12 Response

Redirect to RPredirect_uri, fragment: access_token, code, state

13 GET redirect_uri

14 Response

15 POST /token

access_token, code, state

16 POST tokenEP

code, client_id, redirect_uri, client_secret

17 Response

access_token′, id_token

18 GET jwksURI

19 Response

pubSignKey

20 GET userinfoEP

access_token

21 Response

user_id

22 Response

session_cookie

Figure 8. OpenID Connect 1.0 hybrid mode with discovery and dynamic client registration

29

A.1. Modes and Protocol Flow

OpenID Connect makes use of the OAuth authorization code mode and the implicit mode (both OAuthmodes constitute an OpenID Connect mode), but also introduces a newhybrid mode, which combinesboth modes.

Overview. From a high-level perspective, first, the RP retrieves meta data about the IdP, such as theURLs of the IdP used in the protocol. This is the information that is “hard-wired” in the manual, out-of-band registration in a classic OAuth setup. Next, the RP automatically registers itself as an OAuth clientat the IdP (using OpenID Connect dynamic client registration). Then, the OAuth protocol is started(using one of the modes mentioned above). In addition to an access token this (extended) run deliversa so-calledid tokento RP. The id token is issued by the IdP and contains a unique user identifier alongwith several meta data, such as the intended receiver (the RP) of the id token and the issuer of the idtoken (the IdP). The id token is (optionally) signed by the IdP. Finally, the RP can retrieve more metadata about the user at theuserinfoendpoint at the IdP using the access token and consider the user to belogged in.

Step-by-Step Protocol Flow.In the step-by-step description below (see also Figure8), we focus on thehybrid mode only. First, the user starts the login process byentering her email address15 in her browser(at some web page of an RP), which sends the email address to the RP in 1 .

Now, the RP uses the OpenID Connect Discovery protocol [24] to gain information about the IdP:The RP uses the WebFinger [15] mechanism to discover information about which IdP is responsible forthis user. For this discovery, the RP contacts the server of the user’s email domain (depicted as the sameparty as the IdP in the figure) in2 . The result of the WebFinger request in3 contains the domain ofthe server responsible for the OpenID Connect configuration(the IdP). The configuration is requestedfrom the IdP in 4 and returned in5 . The configuration contains meta data about the IdP, including allendpoints at the IdP. This concludes the OpenID Discovery inthis login flow.

Next, if the RP is not registered at the IdP, the RP starts the OpenID Connect dynamic client regis-tration [22] protocol: the RP contacts the IdP in6 providing its redirect URIs. Now, the IdP issues an(OAuth) client id and (optionally) an (OAuth) client secretto the RP in 7 . This concludes the OpenIDConnect dynamic client registration.

Now, the core part of the OpenID Connect protocol (based on OAuth) starts: the RP redirects theuser’s browser to the IdP in8 . This redirect contains information that the hybrid mode isused andwhich tokens are requested. In this description, we assume that an authorization code and an accesstoken are requested.16 Also, this redirect contains the (OAuth) client id of the RP,a redirect URI and astate value. As in the OAuth flows, this data is sent to the IdP9 , the user authenticates to the IdP10 ,11 , and the IdP redirects the user’s browser back to the RP in12 and 13 (using the redirect URI fromthe request in9 ). This redirect contains an authorization code, an access token, and the state value inthe fragment part of the URL.17 Now, the RP in14 sends a document containing JavaScript code whichsends the parameters contained in the fragment back to the RP(in 15 ). If the state value matches, theRP contacts the IdP in16 with the received authorization code, its (OAuth) client id, its (OAuth) clientsecret, and the redirect URI used to obtain the authorization code. The IdP sends a response with thesame or a fresh access token and an id token to the RP in17 . Now, the RP retrieves the key that wasused to sign the id token from the IdP in18 and 19 and verifies the id token’s signature. As the idtoken typically contains only a unique user identifier, but no other meta data about the user, RP requeststhis meta data (such as nickname, birthday, or address) fromthe IdP in 20 and 21 using one of the

15Note that OpenID Connect also allows other types of user identifiers, such as a personal URL.16The Hybrid Flow allows to request several different combinations of authorization code, access token, and id token.17Note that depending on the parameters in step9 , also an id token may be contained in the fragment part of the URL.

30

authorization tokens received before. Finally, the RP considers the user to be logged in and may set asession cookie at the user’s browser in22 .

Note that the authorization code mode and the implicit mode are similar to the hybrid mode: Roughlyspeaking, the Steps12 – 17 of the OpenID Connect hybrid mode are replaced by the correspondingsteps of the OAuth authorization code or implicit mode, respectively. These OAuth modes are thenextended with the transfer of an id token. In the authorization code mode, the id token is appended to theresponse9 of Figure1 and in the implicit mode, the id token is appended to the fragment of the redirectURI in 6 of Figure2 (and later sent to the RP in Step9 ).

A.2. The 307 Redirect Attack

The 307 redirect attack presented in Section3.1 can also be applied to OpenID Connect. Note thatthe critical part of OAuth, namely the redirect of the user’sbrowser from the IdP to the RP after theauthentication of the user to the IdP, is also present in OpenID Connect. Hence, if the IdP uses an HTTPstatus 307 redirect immediately after the user’s browser has transferred the user’s credentials to IdP in aPOST request, the RP receives these credentials.

A.3. The IdP Mix-Up Attack

When applying the attack presented in Section3.2to OpenID Connect, the attacker needs to circumventsome additional security measures: In the implicit mode of OpenID Connect, anid_token(as describedabove) is sent along withaccess_token in the redirect from HIdP to the RP. As this redirect mightuse HTTPS, the attacker cannot inspect or modify the corresponding network messages. As mentionedabove, the id token contains the domain of the issuer of both,the access token and the id token. Therefore,the RP can detect that the user did not use AIdP (which the RP redirected to).

An attacker could try to use the authorization code mode of OpenID Connect to mount a similar attackas described above. In this case, however, the attacker doesnot learn a valid access token for the user’saccount at HIdP if a client secret is used.

In the hybrid mode, however, an attacker can learn an access token and mount the attack as follows(see also Figure9):

As above, the user first visits the RP. When the user sends her email address to the RP in order tologin 1 , the attacker manipulates the domain part of the email address, to be the domain of AIdP2 . TheRP then looks up the IdP to be used (which is now AIdP) using theWebFinger protocol in Steps3 and 4 .The RP fetches the OpenID Connect configuration from the attacker (5 and 6 ). In this document, theattacker states that the authorization endpoint is locatedat HIdP while all other endpoints are located atthe attacker. Using parameters not shown in the figures, the attacker can also state that this IdP does notsupport delivering an id token in the redirect and can state that no signatures are supported. Since nosignatures need to be checked, also the key retrieval is skipped in the protocol.

After retrieving the OpenID configuration, the RP registersat AIdP, as the attacker uses a domainpreviously unknown to the RP. (If the domain was known to the RP, this step would be skipped.) Theattacker issues the sameclient_id with which the RP is registered at HIdP (7 and 8 ). Now, the RPredirects the user’s browser to HIdP in order to log in. Afterthe user authenticated to HIdP, HIdPredirects the user’s browser back to the RP. The fragment part of the URL contains an authorizationcode and an access token14 . The RP then sends the authorization code to the attacker in17 .

If the RP does not have a client secret registered at HIdP, theattacker can redeem this authorizationcode at HIdP in order to receive an access token to access the honest user’s protected resources atHIdP. This breaks the authorization of OpenID Connect (compare the OAuth authorization property inSection5.2).

31

Browser RP Attacker (AIdP) HIdP

/Browser /RP /Attacker (AIdP) /HIdP

1 POST /start

email

2 POST /start

email′

3 GET /.wk/webfinger

email′

4 Response

attacker

5 GET /.wk/openid-configuration

6 Response

issuer′, authEP, tokenEP′, registrationEP′, jwksURI, userinfoEP′,responseTypes

7 POST registrationEP′

redirect_uris

8 Response

client_id, client_secret′

9 Response

Redirect to HIdPauthEPwith client_id, redirect_uri, state

10 GET authEP


11 Response

12 POSTauthEP

username, password

13 Response

Redirect to RPredirect_uri, fragment: access_token, code, state

14 GET redirect_uri

15 Response

16 POST /token

access_token, code, state

17 POST tokenEP′

code, client_id, redirect_uri, client_secret′

18 Response

access_token′, id_token

19 GET userinfoEP

access_token

20 GET /protectedResource

access_token

21 Response

secret user data

Figure 9. Attack on OpenID Connect 1.0 hybrid mode with discovery and dynamic client registration

32

Alternatively, the attacker responds to the RP with a faked access token and a faked id token18 (whichthe attacker can create, because he controls all security settings for this id token, see Step6 ).

Next, the RP retrieves other meta information about the userfrom AIdP. The RP is now in possessionof two access tokens. The OpenID Connect standard explicitly allows this situation, but fails to statewhich access token has to be used in subsequent requests. TheRP can now chose either of the accesstokens for the next steps, with different outcomes for the attacker:

First Access Token is Selected.In this case the access token originating from HIdP is selected by theRP and sent to the attacker19 . (This behavior was observed by us in the real-world implementationmod_auth_openidc.)

Now the attacker can use this access token to access other protected resources of the user at HIdP. Thisbreaks authorization for OpenID Connect (compare our OAuthauthorization property in Section5.2).

Second Access Token is Selected.In this case the access token originating from AIdP is selected. Thismeans that the attacker does not learn a valid access token for HIdP. The attacker can, however, reuse theauthorization code for HIdP, which he learned in17 and which is still valid as it has not been redeemed atHIdP, yet. Using this method, the attacker can impersonate the honest user at the RP. To accomplish this,the attacker starts a new login flow at the RP with the user’s email address. In Step15 of Figure8, heprovides the authorization code he has learned along with some (invalid) access token and the state fromhis (new) login flow to the RP. The RP then requests an access token and an id token from HIdP withthis (still valid) authorization code. The RP receives a valid access token and a valid id token (for thehonest user) from HIdP. As the RP uses this valid access tokenin this case, all subsequent requests fromthe RP to HIdP are successful and the RP receives the user id ofthe honest user, the RP considers theattacker to be logged in as the honest user. This breaks the authentication of OpenID Connect (compareour OAuth authentication property in Section5.2).

B. The Generic Web Model

In this section, we present the model of the web infrastructure as proposed in [8] and [9], along with thefollowing changes and additions:

• We introduce a new header,Authorization, as a model for HTTP Basic Authentication.18

• Browsers now may have multiple passwords stored for a singleorigin; before, there was only onepassword for each origin.

B.1. Communication Model

We here present details and definitions on the basic conceptsof the communication model.

Terms, Messages and Events.The signatureΣ for the terms and messages considered in this work isthe union of the following pairwise disjoint sets of function symbols:

• constantsC = IPs ∪ S∪{⊤,⊥,✸} where the three sets are pairwise disjoint,S is interpreted tobe the set of ASCII strings (including the empty stringε), andIPs is interpreted to be a set of (IP)addresses,

• function symbols for public keys, (a)symmetric encryption/decryption, and signatures:pub(·),enca(·, ·), deca(·, ·), encs(·, ·), decs(·, ·), sig(·, ·), checksig(·, ·), andextractmsg(·),

18Note that although the header is called “Authorization” (following RFC2617), this is a mechanism for authentication.

33

deca(enca(x,pub(y)),y) = x (1)

decs(encs(x,y),y) = x (2)

checksig(sig(x,y),x,pub(y)) =⊤ (3)

πi(〈x1, . . . ,xn〉) = xi if 1 ≤ i ≤ n (4)

π j(〈x1, . . . ,xn〉) =✸ if j 6∈ {1, . . . ,n} (5)

Figure 10. Equational theory forΣ.

• n-ary sequences〈〉,〈·〉,〈·, ·〉,〈·, ·, ·〉, etc., and

• projection symbolsπi(·) for all i ∈ N.

For strings (elements inS), we use a specific font. For example,HTTPReq andHTTPResp are strings.We denote byDoms ⊆ S the set of domains, e.g.,example.com ∈ Doms. We denote byMethods ⊆ Sthe set of methods used in HTTP requests, e.g.,GET, POST ∈Methods.

The equational theory associated with the signatureΣ is given in Figure10.

Definition 1 (Nonces and Terms).By X = {x0,x1, . . .} we denote a set of variables and byN we de-note an infinite set of constants (nonces) such thatΣ, X, andN are pairwise disjoint. ForN ⊆ N , wedefine the setTN(X) of termsoverΣ∪N∪X inductively as usual: (1) Ift ∈N∪X, thent is a term. (2) Iff ∈ Σ is ann-ary function symbol inΣ for somen≥ 0 andt1, . . . , tn are terms, thenf (t1, . . . , tn) is a term.

By ≡ we denote the congruence relation onTN (X) induced by the theory associated withΣ. Forexample, we have thatπ1(deca(enca(〈a,b〉,pub(k)),k)) ≡ a.

Definition 2 (Ground Terms, Messages, Placeholders, Protomessages).By TN = TN( /0), we denotethe set of all terms overΣ∪N without variables, calledground terms. The setM of messages (overN )is defined to be the set of ground termsTN .

We define the setVprocess= {ν1,ν2, . . .} of variables (called placeholders). The setM ν := TN (Vprocess)is called the set ofprotomessages, i.e., messages that can contain placeholders.

Example 1. For example,k ∈ N and pub(k) are messages, wherek typically models a private keyand pub(k) the corresponding public key. For constantsa, b, c and the noncek ∈ N , the messageenca(〈a,b,c〉,pub(k)) is interpreted to be the message〈a,b,c〉 (the sequence of constantsa, b, c) en-crypted by the public keypub(k).

Definition 3 (Normal Form). Let t be a term. Thenormal formof t is acquired by reducing the functionsymbols from left to right as far as possible using the equational theory shown in Figure10. For a termt, we denote its normal form ast↓.

Definition 4 (Pattern Matching). Let pattern∈ TN ({∗}) be a term containing the wildcard (variable∗). We say that a termt matches patterniff t can be acquired frompatternby replacing each occurrenceof the wildcard with an arbitrary term (which may be different for each instance of the wildcard). Wewrite t ∼ pattern. For a sequence of patternspatternswe write t∼̇patternsto denote thatt matches atleast one pattern inpatterns.

For a termt ′ we writet ′|patternto denote the term that is acquired fromt ′ by removing all immediatesubterms oft ′ that do not matchpattern.

34

Example 2. For example, for a patternp= 〈⊤,∗〉 we have that〈⊤,42〉 ∼ p, 〈⊥,42〉 6∼ p, and

〈〈⊥,⊤〉,〈⊤,23〉,〈a,b〉,〈⊤,⊥〉〉| p = 〈〈⊤,23〉,〈⊤,⊥〉〉 .

Definition 5 (Variable Replacement). Let N⊆N , τ ∈ TN({x1, . . . ,xn}), andt1, . . . , tn ∈ TN.By τ [t1/x1, . . . , tn/xn] we denote the (ground) term obtained fromτ by replacing all occurrences ofxi

in τ by ti, for all i ∈ {1, . . . ,n}.

Definition 6 (Events and Protoevents).An event (overIPs andM ) is a term of the form〈a, f ,m〉, fora, f ∈ IPs andm∈M , wherea is interpreted to be the receiver address andf is the sender address. Wedenote byE the set of all events. Events overIPs andM ν are calledprotoeventsand are denotedEν .By 2E〈〉 (or 2Eν 〈〉, respectively) we denote the set of all sequences of (proto)events, including the emptysequence (e.g.,〈〉, 〈〈a, f ,m〉,〈a′, f ′,m′〉, . . . 〉, etc.).

Atomic Processes, Systems and Runs.An atomic process takes its current state and an event as input, and then (non-deterministically) out-

puts a new state and a set of events.

Definition 7 (Generic Atomic Processes and Systems).A (generic) atomic processis a tuple

p= (I p,Zp,Rp,sp0)

whereI p⊆ IPs, Zp ∈ TN is a set of states,Rp⊆ (E ×Zp)× (2Eν 〈〉×TN (Vprocess)) (input event and oldstate map to sequence of output events and new state), andsp

0 ∈ Zp is the initial state ofp. For any newstatesand any sequence of nonces(η1,η2, . . . ) we demand thats[η1/ν1,η2/ν2, . . . ] ∈ Zp. A systemP isa (possibly infinite) set of atomic processes.

Definition 8 (Configurations). A configuration of a systemP is a tuple(S,E,N) where the state of thesystemSmaps every atomic processp∈ P to its current stateS(p) ∈ Zp, the sequence of waiting eventsE is an infinite sequence19 (e1,e2, . . . ) of events waiting to be delivered, andN is an infinite sequence ofnonces(n1,n2, . . . ).

Definition 9 (Concatenating sequences).For a terma = 〈a1, . . . ,ai〉 and a sequenceb = (b1,b2, . . . ),we define theconcatenationasa·b := (a1, . . . ,ai ,b1,b2, . . . ).

Definition 10 (Subtracting from Sequences).For a sequenceX and a set or sequenceY we defineX \Y to be the sequenceX where for each element inY, a non-deterministically chosen occurence ofthat element inX is removed.

Definition 11 (Processing Steps).A processing step of the systemP is of the form

(S,E,N)ein→p−−−−→p→Eout

(S′,E′,N′)

where

1. (S,E,N) and(S′,E′,N′) are configurations ofP ,

2. ein = 〈a, f ,m〉 ∈ E is an event,

3. p∈ P is a process,

19Here: Not in the sense of terms as defined earlier.

35

4. Eout is a sequence (term) of events

such that there exists

1. a sequence (term)Eν

out⊆ 2Eν 〈〉 of protoevents,

2. a termsν ∈ TN (Vprocess),

3. a sequence(v1,v2, . . . ,vi) of all placeholders appearing inEν

out (ordered lexicographically),

4. a sequenceNν = (η1,η2, . . . ,ηi) of the firsti elements inN

with

1. ((ein,S(p)),(Eν

out,sν)) ∈ Rp anda∈ I p,

2. Eout = Eν

out[m1/v1, . . . ,mi/vi ]

3. S′(p) = sν [m1/v1, . . . ,mi/vi ] andS′(p′) = S(p′) for all p′ 6= p

4. E′ = Eout · (E \{ein})

5. N′ = N\Nν

We may omit the superscript and/or subscript of the arrow.

Intuitively, for a processing step, we select one of the processes inP , and call it with one of the eventsin the list of waiting eventsE. In its output (new state and output events), we replace any occurences ofplaceholdersνx by “fresh” nonces fromN (which we then remove fromN). The output events are thenprepended to the list of waiting events, and the state of the process is reflected in the new configuration.

Definition 12 (Runs). Let P be a system,E0 be sequence of events, andN0 be a sequence of nonces. Arunρ of a systemP initiated by E0 with nonces N0 is a finite sequence of configurations((S0,E0,N0), . . . ,(Sn,En,Nn)) or an infinite sequence of configurations((S0,E0,N0), . . . ) such thatS0(p) = sp

0 for allp∈ P and(Si ,Ei,Ni)−→ (Si+1,Ei+1,Ni+1) for all 0≤ i < n (finite run) or for alli ≥ 0 (infinite run).

We denote the stateSn(p) of a processp at the end of a runρ by ρ(p).

Usually, we will initiate runs with a setE0 containing infinite trigger events of the form〈a,a,TRIGGER〉for eacha∈ IPs, interleaved by address.

Atomic Dolev-Yao Processes.We next define atomic Dolev-Yao processes, for which we require thatthe messages and states that they output can be computed (more formally, derived) from the currentinput event and state. For this purpose, we first define what itmeans to derive a message from givenmessages.

Definition 13 (Deriving Terms). Let M be a set of ground terms. We say thata term m can be derivedfrom M with placeholders Vif there existn≥ 0, m1, . . . ,mn ∈M, andτ ∈ T /0({x1, . . . ,xn}∪V) such thatm≡ τ [m1/x1, . . . ,mn/xn]. We denote bydV(M) the set of all messages that can be derived fromM withvariablesV.

For example,a∈ d{}({enca(〈a,b,c〉,pub(k)),k}).

Definition 14 (Atomic Dolev-Yao Process).An atomic Dolev-Yao process (or simply, a DY process)isa tuplep= (I p,Zp, Rp,sp

0) such that(I p,Zp,Rp,sp0) is an atomic process and (1)Zp ⊆ TN (and hence,

sp0 ∈ TN ), and (2) for all eventse∈ E , sequences of protoeventsE, s∈ TN , s′ ∈ TN (Vprocess), with((e,s),(E,s′)) ∈ Rp it holds true thatE, s′ ∈ dVprocess({e,s}).

36

Definition 15 (Atomic Attacker Process). An (atomic) attacker process for a set of sender addressesA⊆ IPs is an atomic DY processp = (I ,Z,R,s0) such that for all eventse, ands∈ TN we have that((e,s),(E,s′)) ∈ R iff s′ = 〈e,E,s〉 andE = 〈〈a1, f1,m1〉, . . . ,〈an, fn,mn〉〉 with n ∈ N, a1, . . . ,an ∈ IPs,f0, . . . , fn ∈ A, m1, . . . ,mn ∈ dVprocess({e,s}).

B.2. Scripting Processes

We define scripting processes, which model client-side scripting technologies, such as JavaScript. Script-ing processes are defined similarly to DY processes.

Definition 16 (Placeholders for Scripting Processes).By Vscript = {λ1, . . .} we denote an infinite setof variables used in scripting processes.

Definition 17 (Scripting Processes).A scripting process(or simply, ascript) is a relationR⊆ TN ×TN (Vscript) such that for alls∈ TN , s′ ∈ TN (Vscript) with (s,s′) ∈R it follows thats′ ∈ dVscript(s).

A script is called by the browser which provides it with stateinformation (such as the script’s last stateand limited information about the browser’s state)s. The script then outputs a terms′, which representsthe new internal state and some command which is interpretedby the browser. The terms′ may containvariablesλ1, . . . which the browser will replace by (otherwise unused) placeholdersν1, . . . which willbe replaced by nonces once the browser DY process finishes (effectively providing the script with a wayto get “fresh” nonces).

Similarly to an attacker process, we define theattacker script Ratt:

Definition 18 (Attacker Script). The attacker scriptRatt outputs everything that is derivable from theinput, i.e.,Ratt = {(s,s′) | s∈ TN ,s′ ∈ dVscript(s)}.

B.3. Web System

The web infrastructure and web applications are formalizedby what is called a web system. A websystem contains, among others, a (possibly infinite) set of DY processes, modeling web browsers, webservers, DNS servers, and attackers (which may corrupt other entities, such as browsers).

Definition 19. A web systemWS = (W,S ,script,E0) is a tuple with its components defined as follows:The first component,W, denotes a system (a set of DY processes) and is partitioned into the setsHon,

Web, andNet of honest, web attacker, and network attacker processes, respectively.Every p ∈Web∪Net is an attacker process for some set of sender addressesA⊆ IPs. For a web

attackerp∈Web, we require its set of addressesI p to be disjoint from the set of addresses of all otherweb attackers and honest processes, i.e.,I p∩ I p′ = /0 for all p′ ∈ Hon∪Web. Hence, a web attackercannot listen to traffic intended for other processes. Also,we require thatA= I p, i.e., a web attacker canonly use sender addresses it owns. Conversely, a network attacker may listen to all addresses (i.e., norestrictions onI p) and may spoof all addresses (i.e., the setA may beIPs).

Every p∈ Hon is a DY process which models either aweb server, a web browser, or aDNS server,as further described in the following subsections. Just as for web attackers, we require thatp does notspoof sender addresses and that its set of addressesI p is disjoint from those of other honest processesand the web attackers.

The second component,S , is a finite set of scripts such thatRatt∈ S . The third component,script, isan injective mapping fromS to S, i.e., byscript everys∈ S is assigned its string representationscript(s).

Finally, E0 is an (infinite) sequence of events, containing an infinite number of events of the form〈a,a,TRIGGER〉 for everya∈

⋃

p∈W I p.A run of WS is a run ofW initiated byE0.

37

C. Message and Data Formats

We now provide some more details about data and message formats that are needed for the formaltreatment of the web model and the analysis of BrowserID presented in the rest of the appendix.

C.1. Notations

Definition 20 (Sequence Notations).For a sequencet = 〈t1, . . . , tn〉 and a setswe uset ⊂〈〉 s to say thatt1, . . . , tn ∈ s. We definex∈〈〉 t ⇐⇒ ∃i : ti = x. We write t +〈〉 y to denote the sequence〈t1, . . . , tn,y〉.For a finite setM with M = {m1, . . . ,mn} we use〈M〉 to denote the term of the form〈m1, . . . ,mn〉. (Theorder of the elements does not matter; one is chosen arbitrarily.)

Definition 21. A dictionary over X and Yis a term of the form

〈〈k1,v1〉, . . . ,〈kn,vn〉〉

wherek1, . . . ,kn ∈ X, v1, . . . ,vn ∈ Y, and the keysk1, . . . ,kn are unique, i.e.,∀i 6= j : ki 6= k j . We callevery term〈ki ,vi〉, i ∈ {1, . . . ,n}, anelementof the dictionary with keyki and valuevi . We often write[k1 : v1, . . . ,ki : vi , . . . ,kn : vn] instead of〈〈k1,v1〉, . . . ,〈kn,vn〉〉. We denote the set of all dictionaries overX andY by [X×Y].

We note that the empty dictionary is equivalent to the empty sequence, i.e.,[] = 〈〉. Figure11 shows theshort notation for dictionary operations that will be used when describing the browser atomic process.For a dictionaryz= [k1 : v1,k2 : v2, . . . ,kn : vn] we writek ∈ z to say that there existsi such thatk = ki .We writez[k j ] := v j to extract elements. Ifk 6∈ z, we setz[k] := 〈〉.

[k1 : v1, . . . ,ki : vi , . . . ,kn : vn] [ki ] = vi (6)

[k1 : v1, . . . ,ki−1 : vi−1,ki : vi ,ki+1 : vi+1 . . . ,kn : vn]−ki =

[k1 : v1, . . . ,ki−1 : vi−1,ki+1 : vi+1 . . . ,kn : vn] (7)

Figure 11. Dictionary operators with 1≤ i ≤ n.

Given a termt = 〈t1, . . . , tn〉, we can refer to any subterm using a sequence of integers. Thesubterm isdetermined by repeated application of the projectionπi for the integersi in the sequence. We call sucha sequence apointer:

Definition 22. A pointer is a sequence of non-negative integers. We writeτ .p for the application of thepointer p to the termτ . This operator is applied from left to right. For pointers consisting of a singleinteger, we may omit the sequence braces for brevity.

Example 3. For the termτ = 〈a,b,〈c,d,〈e, f 〉〉〉 and the pointerp = 〈3,1〉, the subterm ofτ at thepositionp is c= π1(π3(τ)). Also, τ .3.〈3,1〉 = τ .3.p= τ .3.3.1= e.

To improve readability, we try to avoid writing, e.g.,o.2 orπ2(o) in this document. Instead, we willuse the names of the components of a sequence that is of a defined form as pointers that point to thecorresponding subterms. E.g., if anOrigin term is defined as〈host,protocol〉 ando is an Origin term,then we can writeo.protocol instead ofπ2(o) or o.2. See also Example4.

38

C.2. URLs

Definition 23. A URL is a term of the form

〈URL,protocol,host,path,parameters, fragment〉

with protocol∈ {P,S} (for plain (HTTP) andsecure (HTTPS)),host∈ Doms, path∈ S, parameters∈[S×TN

], andfragment∈ TN . The set of all valid URLs isURLs.

Thefragmentpart of a URL can be omitted when writing the URL. Its value is then defined to be⊥.

Example 4. For the URLu= 〈URL,a,b,c,d〉, u.protocol= a. If, in the algorithm described later, wesayu.path := e thenu= 〈URL,a,b,c,e〉 afterwards.

C.3. Origins

Definition 24. An origin is a term of the form〈host,protocol〉 with host∈Doms andprotocol∈ {P,S}.We writeOrigins for the set of all origins.

Example 5. For example,〈FOO,S〉 is the HTTPS origin for the domainFOO, while 〈BAR,P〉 is the HTTPorigin for the domainBAR.

C.4. Cookies

Definition 25. A cookieis a term of the form〈name,content〉 wherename∈ TN , andcontentis a termof the form〈value,secure,session,httpOnly〉 wherevalue∈ TN , secure, session, httpOnly∈ {⊤,⊥}. Wewrite Cookies for the set of all cookies andCookiesν for the set of all cookies where names and valuesare defined overTN (V).

If the secureattribute of a cookie is set, the browser will not transfer this cookie over unencryptedHTTP connections. If thesessionflag is set, this cookie will be deleted as soon as the browser is closed.ThehttpOnlyattribute controls whether JavaScript has access to this cookie.

Note that cookies of the form described here are only contained in HTTP(S) requests. In responses,only the componentsnameandvalueare transferred as a pairing of the form〈name,value〉.

C.5. HTTP Messages

Definition 26. An HTTP requestis a term of the form shown in (8). An HTTP responseis a term of theform shown in (9).

〈HTTPReq,nonce,method,host,path,parameters,headers,body〉 (8)

〈HTTPResp,nonce,status,headers,body〉 (9)

The components are defined as follows:

• nonce∈N serves to map each response to the corresponding request

• method∈Methods is one of the HTTP methods.

• host∈Doms is the host name in the HOST header of HTTP/1.1.

• path∈ S is a string indicating the requested resource at the server side

39

• status∈ S is the HTTP status code (i.e., a number between 100 and 505, asdefined by the HTTPstandard)

• parameters∈[S×TN

]contains URL parameters

• headers∈[S×TN

], containing request/response headers. The dictionary elements are terms of

one of the following forms:

• 〈Origin,o〉 whereo is an origin,

• 〈Set-Cookie,c〉 wherec is a sequence of cookies,

• 〈Cookie,c〉 wherec∈,[S×TN

](note that in this header, only names and values of cookies

are transferred),

• 〈Location, l〉 wherel ∈ URLs,

• 〈Referer, r〉 wherer ∈ URLs,

• 〈Strict-Transport-Security,⊤〉,

• 〈Authorization,〈u, p〉〉 whereu, p∈ S,

• body∈ TN in requests and responses.

We writeHTTPRequests/HTTPResponses for the set of all HTTP requests or responses, respectively.

Example 6 (HTTP Request and Response).

r :=〈HTTPReq,n1,POST,example.com,/show,〈〈index,1〉〉,

[Origin : 〈example.com,S〉],〈foo,bar〉〉 (10)

s :=〈HTTPResp,n1,200,〈〈Set-Cookie,〈〈SID,〈n2,⊥,⊥,⊤〉〉〉〉〉,〈somescript,x〉〉 (11)

An HTTP GET request for the URLhttp://example.com/show?index=1 is shown in (10), with anOrigin header and a body that contains〈foo,bar〉. A possible response is shown in (11), which containsan httpOnly cookie with nameSID and valuen2 as well as the string representationsomescript of thescripting processscript−1(somescript) (which should be an element ofS ) and its initial statex.

Encrypted HTTP Messages..For HTTPS, requests are encrypted using the public key of theserver.Such a request contains an (ephemeral) symmetric key chosenby the client that issued the request. Theserver is supported to encrypt the response using the symmetric key.

Definition 27. An encrypted HTTP requestis of the formenca(〈m,k′〉,k), wherek, k′ ∈ N andm∈HTTPRequests. The correspondingencrypted HTTP responsewould be of the formencs(m′,k′), wherem′ ∈HTTPResponses. We call the sets of all encrypted HTTP requests and responsesHTTPSRequestsorHTTPSResponses, respectively.

Example 7.

enca(〈r,k′〉,pub(kexample.com)) (12)

encs(s,k′) (13)

The term (12) shows an encrypted request (withr as in (10)). It is encrypted using the public keypub(kexample.com). The term (13) is a response (withsas in (11)). It is encrypted symmetrically using the(symmetric) keyk′ that was sent in the request (12).

40

http://example.com/show?index=1

C.6. DNS Messages

Definition 28. A DNS requestis a term of the form〈DNSResolve,domain,n〉 wheredomain∈ Doms,n∈N . We call the set of all DNS requestsDNSRequests.

Definition 29. A DNS responseis a term of the form〈DNSResolved,domain, result,n〉 with domain∈ Doms, result∈ IPs, n∈N . We call the set of all DNS responsesDNSResponses.

DNS servers are supposed to include the nonce they received in a DNS request in the DNS responsethat they send back so that the party which issued the requestcan match it with the request.

C.7. DNS Servers

Here, we consider a flat DNS model in which DNS queries are answered directly by one DNS serverand always with the same address for a domain. A full (hierarchical) DNS system with recursive DNSresolution, DNS caches, etc. could also be modeled to cover certain attacks on the DNS system itself.

Definition 30. A DNS server d(in a flat DNS model) is modeled in a straightforward way as an atomicDY process(Id,{sd

0},Rd,sd

0). It has a finite set of addressesId and its initial (and only) statesd0 encodes

a mapping from domain names to addresses of the form

sd0 = 〈〈domain1,a1〉,〈domain2,a2〉, . . .〉 .

DNS queries are answered according to this table (otherwiseignored).

D. Detailed Description of the Browser Model

Following the informal description of the browser model in Section4.3, we now present a formal model.We start by introducing some notation and terminology.

D.1. Notation and Terminology (Web Browser State)

Before we can define the state of a web browser, we first have to define windows and documents.

Definition 31. A window is a term of the formw = 〈nonce,documents,opener〉 with nonce∈ N ,documents⊂〈〉 Documents (defined below),opener∈ N ∪{⊥} whered.active = ⊤ for exactly oned∈〈〉 documentsif documentsis not empty (we then calld theactive document of w). We writeWindows

for the set of all windows. We writew.activedocument to denote the active document inside windoww if it exists and〈〉 else.

We will refer to the window nonce as(window) reference.The documents contained in a window term to the left of the active document are the previously

viewed documents (available to the user via the “back” button) and the documents in the window termto the right of the currently active document are documents available via the “forward” button.

A window a may have opened a top-level windowb (i.e., a window term which is not a subterm of adocument term). In this case, theopenerpart of the termb is the nonce ofa, i.e.,b.opener= a.nonce.

Definition 32. A document dis a term of the form

〈nonce, location, referrer,script,scriptstate,scriptinputs,subwindows,active〉

41

where nonce∈ N , location ∈ URLs, referrer ∈ URLs ∪ {⊥}, script ∈ TN , scriptstate∈ TN ,scriptinputs∈ TN , subwindows⊂〈〉Windows, active∈ {⊤,⊥}. A limited documentis a term of the form〈nonce,subwindows〉with nonce, subwindowsas above. A windoww∈〈〉 subwindowsis called asubwin-dow(of d). We writeDocuments for the set of all documents. For a document termd we writed.originto denote the origin of the document, i.e., the term〈d.location.host,d.location.protocol〉 ∈Origins.

We will refer to the document nonce as(document) reference.We can now define the set of states of web browsers. Note that weuse the dictionary notation that we

introduced in Definition21.

Definition 33. Theset of states Zp of a web browser atomic process pconsists of the terms of the form

〈windows, ids,secrets,cookies, localStorage,sessionStorage,keyMapping,

sts,DNSaddress,pendingDNS,pendingRequests, isCorrupted〉

where

• windows⊂〈〉Windows,

• ids⊂〈〉 TN ,

• secrets∈[Origins×TN

],

• cookiesis a dictionary overDoms and sequences ofCookies,

• localStorage∈[Origins×TN

],

• sessionStorage∈[OR×TN

]for OR:= {〈o, r〉|o∈ Origins, r ∈N },

• keyMapping∈[Doms×TN

],

• sts⊂〈〉 Doms,

• DNSaddress∈ IPs,

• pendingDNS∈[N ×TN

],

• pendingRequests∈ TN ,

• andisCorrupted∈ {⊥,FULLCORRUPT, CLOSECORRUPT}.

Definition 34. For two window termsw andw′ we writewchildof−−−→ w′ if

w∈〈〉 w′.activedocument.subwindows .

We writechildof+−−−−→ for the transitive closure.

In the following description of the web browser relationRp we use the helper functionsSubwindows,Docs, Clean, CookieMerge andAddCookie.

Given a browser states, Subwindows(s) denotes the set of all pointers20 to windows in the window lists.windows, their active documents, and (recursively) the subwindowsof these documents. We excludesubwindows of inactive documents and their subwindows. With Docs(s) we denote the set of pointersto all active documents in the set of windows referenced bySubwindows(s).

20Recall the definition of a pointer in Definition22.

42

Definition 35. For a browser states we denote bySubwindows(s) the minimal set of pointers that sat-isfies the following conditions: (1) For all windowsw ∈〈〉 s.windows there is ap ∈ Subwindows(s)such thats.p= w. (2) For all p∈ Subwindows(s), the active documentd of the windows.p and everysubwindoww of d there is a pointerp′ ∈ Subwindows(s) such thats.p′ = w.

Given a browser states, the setDocs(s) of pointers to active documents is the minimal set such thatfor everyp∈ Subwindows(s), there is a pointerp′ ∈ Docs(s) with s.p′ = s.p.activedocument.

By Subwindows+(s) andDocs+(s) we denote the respective sets that also include the inactivedocu-ments and their subwindows.

The functionClean will be used to determine which information about windows and documents thescript running in the documentd has access to.

Definition 36. Let sbe a browser state andd a document. ByClean(s,d) we denote the term that equalss.windows but with all inactive documents removed (including their subwindows etc.) and all subtermsthat represent non-same-origin documents w.r.t.d replaced by a limited documentd′ with the samenonce and the same subwindow list. Note that non-same-origin documents on all levels are replaced bytheir corresponding limited document.

The functionCookieMerge merges two sequences of cookies together: When used in the browser,oldcookiesis the sequence of existing cookies for some origin,newcookiesis a sequence of new cookiesthat was output by some script. The sequences are merged intoa set of cookies using an algorithm thatis based on theStorage Mechanismalgorithm described in RFC6265.

Definition 37. For a sequence of cookies (with pairwise different names)oldcookiesand a sequenceof cookiesnewcookies, the setCookieMerge(oldcookies,newcookies) is defined by the following al-gorithm: Fromnewcookiesremove all cookiesc that havec.content.httpOnly ≡ ⊤. For anyc,c′ ∈〈〉 newcookies, c.name ≡ c′.name, remove the cookie that appears left of the other innewcookies.Let m be the set of cookies that have a name that either appears inoldcookiesor in newcookies, but notin both. For all pairs of cookies(cold,cnew) with cold ∈

〈〉 oldcookies, cnew∈〈〉 newcookies, cold.name ≡

cnew.name, addcnew to m if cold.content.httpOnly ≡ ⊥ and addcold to m otherwise. The result ofCookieMerge(oldcookies,newcookies) is m.

The functionAddCookie adds a cookiec received in an HTTP response to the sequence of cookiescontained in the sequenceoldcookies. It is again based on the algorithm described in RFC6265 butsimplified for the use in the browser model.

Definition 38. For a sequence of cookies (with pairwise different names)oldcookiesand a cookiec, thesequenceAddCookie(oldcookies,c) is defined by the following algorithm: Letm:= oldcookies. Removeanyc′ from m that hasc.name≡ c′.name. Appendc to m and returnm.

The functionNavigableWindows returns a set of windows that a document is allowed to navigate. Weclosely follow [14], Section 5.1.4 for this definition.

Definition 39. The setNavigableWindows(w,s′) is the setW⊆ Subwindows(s′) of pointers to windowsthat the active document inw is allowed to navigate. The setW is defined to be the minimal set suchthat for everyw′ ∈ Subwindows(s′) the following is true:

• If s′.w′.activedocument.origin ≡ s′.w.activedocument.origin (i.e., the active documentsin w andw′ are same-origin), thenw′ ∈W, and

• If s′.wchildof∗−−−−→ s′.w′ ∧ ∄w′′ ∈ Subwindows(s′) with s′.w′

childof∗−−−−→ s′.w′′ (w′ is a top-level window

andw is an ancestor window ofw′), thenw′ ∈W, and

43

• If ∃ p∈ Subwindows(s′) such thats′.w′childof+−−−−→ s′.p

∧ s′.p.activedocument.origin= s′.w.activedocument.origin (w′ is not a top-level windowbut there is an ancestor windowp of w′ with an active document that has the same origin as theactive document inw), thenw′ ∈W, and

• If ∃ p∈ Subwindows(s′) such thats′.w′.opener= s′.p.nonce ∧ p∈W (w′ is a top-level window—it has an opener—andw is allowed to navigate the opener window ofw′, p), thenw′ ∈W.

D.2. Description of the Web Browser Atomic Process

We will now describe the relationRp of a standard HTTP browserp. We define((〈〈a, f ,m〉〉,s) ,(M,s′))to belong toRp iff the non-deterministic algorithm presented below, whengiven (〈a, f ,m〉,s) as input,terminates withstop M, s′, i.e., with outputM ands′. Recall that〈a, f ,m〉 is an (input) event ands is a(browser) state,M is a sequence of (output) protoevents, ands′ is a new (browser) state (potentially withplaceholders for nonces).Notations..The notationlet n← N is used to describe thatn is chosen non-deterministically from thesetN. We writefor each s∈M do to denote that the following commands (untilend for) are repeatedfor every element inM, where the variables is the current element. The order in which the elements areprocessed is chosen non-deterministically. We will write,for example,

let x,y such that 〈Constant,x,y〉 ≡ t if possible; otherwisedoSomethingElse

for some variablesx,y, a stringConstant, and some termt to express thatx := π2(t), andy := π3(t)if Constant≡ π1(t) and if |〈Constant,x,y〉| = |t|, and that otherwisex andy are not set and doSome-thingElse is executed.

Placeholders..In several places throughout the algorithms presented nextwe use placeholders to gener-ate “fresh” nonces as described in our communication model (see Definition1). Figure12 shows a listof all placeholders used.

Placeholder Usage

ν1 Algorithm 7, new window noncesν2 Algorithm 7, new HTTP request nonceν3 Algorithm 7, lookup key for pending HTTP requests entryν4 Algorithm 5, new HTTP request nonce (multiple lines)ν5 Algorithm 5, new subwindow nonceν6 Algorithm 6, new HTTP request nonceν7 Algorithm 6, new document nonceν8 Algorithm 4, lookup key for pending DNS entryν9 Algorithm 1, new window nonceν10, . . . Algorithm 5, replacement for placeholders in scripting process output

Figure 12. List of placeholders used in browser algorithms.

Before we describe the main browser algorithm, we first definesome functions.

Functions. In the description of the following functions we usea, f , m, ands as read-only global inputvariables. All other variables are local variables or arguments.

The following function,GETNAVIGABLEWINDOW, is called by the browser to determine the win-dow that isactually navigated when a script in the windows′.w provides a window reference for nav-igation (e.g., for opening a link). When it is given a window reference (nonce)window, this functionreturns a pointer to a selected window term ins′:

44

• If windowis the string _BLANK, a new window is created and a pointer to that window is returned.

• If window is a nonce (reference) and there is a window term with a reference of that value in thewindows ins′, a pointerw′ to that window term is returned, as long as the window is navigable bythe current window’s document (as defined byNavigableWindows above).

In all other cases,w is returned instead (the script navigates its own window).

Algorithm 1 Determine window for navigation.

1: function GETNAVIGABLEWINDOW(w, window, noreferrer, s′)2: if window≡ _BLANK then ⊲ Open a new window when _BLANK is used3: if noreferrer≡⊥ then4: let w′ := 〈ν9,〈〉,s′.w.nonce〉5: else6: let w′ := 〈ν9,〈〉,⊥〉7: end if8: let s′.windows := s′.windows+〈〉 w′

→֒ and let w′ be a pointer to this new element ins′

9: return w′

10: end if11: let w′ ← NavigableWindows(w,s′) such thats′.w′.nonce≡ window

→֒ if possible; otherwise returnw12: return w′

13: end function

The following function takes a window reference as input andreturns a pointer to a window as above,but it checks only that the active documents in both windows are same-origin. It creates no new windows.

Algorithm 2 Determine same-origin window.

1: function GETWINDOW(w, window, s′)2: let w′ ← Subwindows(s′) such thats′.w′.nonce≡ window

→֒ if possible; otherwise returnw3: if s′.w′.activedocument.origin≡ s′.w.activedocument.origin then4: return w′

5: end if6: return w7: end function

The next function is used to stop any pending requests for a specific window. From the pendingrequests and pending DNS requests it removes any requests with the given window referencen.

Algorithm 3 Cancel pending requests for given window.

1: function CANCELNAV(n, s′)2: remove all 〈n, req,key, f 〉 from s′.pendingRequests for any req, key, f3: remove all 〈x,〈n,message,url〉〉 from s′.pendingDNS

→֒ for any x, message, url4: return s′

5: end function

The following function takes an HTTP requestmessageas input, adds cookie and origin headers tothe message, creates a DNS request for the hostname given in the request and stores the request ins′.pendingDNS until the DNS resolution finishes. For normal HTTP requests,referenceis a windowreference. For XHRs,referenceis a value of the form〈document,nonce〉 wheredocumentis a documentreference andnonceis some nonce that was chosen by the script that initiated therequest.url contains

45

the full URL of the request (this is mainly used to retrieve the protocol that should be used for thismessage, and to store the fragment identifier for use after the document was loaded).origin is the originheader value that is to be added to the HTTP request.

Algorithm 4 Prepare headers, do DNS resolution, save message.

1: function SEND(reference, message, url, origin, referrer, s′)2: if message.host ∈〈〉 s′.sts then3: let url.protocol := S

4: end if5: let cookies:= 〈{〈c.name,c.content.value〉|c∈〈〉 s′.cookies[message.host]

→֒ ∧(c.content.secure =⇒ (url.protocol= S))}〉6: let message.headers[Cookie] := cookies7: if origin 6≡ ⊥ then8: let message.headers[Origin] := origin9: end if

10: if referrer 6≡ ⊥ then11: let message.headers[Referer] := referrer12: end if13: let s′.pendingDNS[ν8] := 〈reference,message,url〉14: stop 〈〈s′.DNSaddress,a,〈DNSResolve,host,ν8〉〉〉, s′

15: end function

The functionRUNSCRIPT performs a script execution step of the script in the document s′.d (whichis part of the windows′.w). A new script and document state is chosen according to the relation definedby the script and the new script and document state is saved. Afterwards, thecommandthat the scriptissued is interpreted.

Algorithm 5 Execute a script.

1: function RUNSCRIPT(w, d, s′)2: let tree := Clean(s′,s′.d)3: let cookies:= 〈{〈c.name,c.content.value〉|c∈〈〉 s′.cookies

[s′.d.origin.host

]

→֒ ∧c.content.httpOnly=⊥→֒ ∧

(c.content.secure =⇒

(s′.d.origin.protocol≡ S

))}〉

4: let tlw← s′.windows such that tlw is the top-level window containingd5: let sessionStorage:= s′.sessionStorage

[〈s′.d.origin, tlw.nonce〉

]

6: let localStorage:= s′.localStorage[s′.d.origin

]

7: let secrets:= s′.secrets[s′.d.origin

]

8: let R← script−1(s′.d.script)9: let in := 〈tree, s′.d.nonce,s′.d.scriptstate, s′.d.scriptinputs, cookies,

→֒ localStorage, sessionStorage, s′.ids, secrets〉10: let state′ ← TN (V),

→֒ cookies′← Cookiesν ,→֒ localStorage′← TN (V),→֒ sessionStorage′← TN (V),→֒ command← TN (V),→֒ outλ := 〈state′,cookies′, localStorage′, sessionStorage′,command〉→֒ such that (in,outλ) ∈ R

11: let out := outλ[ν10/λ1,ν11/λ2, . . . ]12: let s′.cookies

[s′.d.origin.host

]

→֒ := 〈CookieMerge(s′.cookies[s′.d.origin.host

], cookies′)〉

13: let s′.localStorage[s′.d.origin

]:= localStorage′

14: let s′.sessionStorage[〈s′.d.origin, tlw.nonce〉

]:= sessionStorage′

46

15: let s′.d.scriptstate := state′

16: switch commanddo17: case〈HREF,url,hrefwindow,noreferrer〉18: let w′ := GETNAVIGABLEWINDOW(w, hrefwindow, noreferrer, s′)19: let req := 〈HTTPReq,ν4,GET,url.host,url.path,〈〉,url.parameters,〈〉〉20: if noreferrer≡⊥ then21: let referrer := s′.d.location22: else23: let referrer := ⊥24: end if25: let s′ := CANCELNAV(s′.w′.nonce,s′)26: SEND(s′.w′.nonce, req, url,⊥, referrer, s′)

27: case〈IFRAME,url,window〉28: let w′ := GETWINDOW(w,window,s′)29: let req := 〈HTTPReq,ν4,GET,url.host,url.path,〈〉,url.parameters,〈〉〉30: let referrer := s′.w′.activedocument.location31: let w′ := 〈ν5,〈〉,⊥〉32: let s′.w′.activedocument.subwindows

→֒ := s′.w′.activedocument.subwindows+〈〉w′

33: SEND(ν5, req, url,⊥, referrer, s′)

34: case〈FORM,url,method,data,hrefwindow〉35: if method6∈ {GET,POST} then 21

36: stop 〈〉, s′

37: end if38: let w′ := GETNAVIGABLEWINDOW(w, hrefwindow,⊥, s′)39: if method= GET then40: let body:= 〈〉41: let parameters:= data42: let origin := ⊥43: else44: let body:= data45: let parameters:= url.parameters46: let origin := s′.d.origin47: end if48: let req := 〈HTTPReq,ν4,method,url.host,url.path,〈〉,parameters,body〉49: let referrer := s′.d.location50: let s′ := CANCELNAV(s′.w′.nonce,s′)51: SEND(s′.w′.nonce, req, url, origin, referrer, s′)

52: case〈SETSCRIPT,window,script〉53: let w′ := GETWINDOW(w,window,s′)54: let s′.w′.activedocument.script := script55: stop 〈〉, s′

56: case〈SETSCRIPTSTATE,window,scriptstate〉57: let w′ := GETWINDOW(w,window,s′)58: let s′.w′.activedocument.scriptstate := scriptstate59: stop 〈〉, s′

60: case〈XMLHTTPREQUEST,url,method,data,xhrreference〉61: if method∈ {CONNECT,TRACE,TRACK}∧xhrreference6∈ {N ,⊥} then62: stop 〈〉, s′

63: end if64: if url.host 6≡ s′.d.origin.host

21The working draft for HTML5 allowed for DELETE and PUT methods in HTML5 forms. However, these have sincebeen removed. Seehttp://www.w3.org/TR/2010/WD-html5-diff-20101019/#changes-2010-06-24.

47

http://www.w3.org/TR/2010/WD-html5-diff-20101019/#changes-2010-06-24

→֒ ∨ url 6≡ s′.d.origin.protocol then65: stop 〈〉, s′

66: end if67: if method∈ {GET,HEAD} then68: let data:= 〈〉69: let origin := ⊥70: else71: let origin := s′.d.origin72: end if73: let req := 〈HTTPReq,ν4,method,url.host,url.path, ,url.parameters,data〉74: let referrer := s′.d.location75: SEND(〈s′.d.nonce,xhrreference〉, req, url, origin, referrer, s′)

76: case〈BACK,window〉 22

77: let w′ := GETNAVIGABLEWINDOW(w, window,⊥, s′)78: if ∃ j ∈N, j > 1 such thats′.w′.documents. j.active≡⊤ then79: let s′.w′.documents. j.active := ⊥80: let s′.w′.documents.( j−1).active := ⊤81: let s′ := CANCELNAV(s′.w′.nonce,s′)82: end if83: stop 〈〉, s′

84: case〈FORWARD,window〉85: let w′ := GETNAVIGABLEWINDOW(w, window,⊥, s′)86: if ∃ j ∈N such thats′.w′.documents. j .active≡⊤

→֒ ∧ s′.w′.documents.( j +1) ∈ Documents then87: let s′.w′.documents. j.active := ⊥88: let s′.w′.documents.( j +1).active := ⊤89: let s′ := CANCELNAV(s′.w′.nonce,s′)90: end if91: stop 〈〉, s′

92: case〈CLOSE,window〉93: let w′ := GETNAVIGABLEWINDOW(w, window,⊥, s′)94: removes′.w′ from the sequence containing it95: stop 〈〉, s′

96: case〈POSTMESSAGE,window,message,origin〉97: let w′ ← Subwindows(s′) such thats′.w′.nonce≡ window98: if ∃ j ∈ N such thats′.w′.documents. j.active≡⊤

→֒ ∧(origin 6≡ ⊥ =⇒ s′.w′.documents. j .origin≡ origin) then99: let s′.w′.documents. j.scriptinputs

→֒ := s′.w′.documents. j .scriptinputs→֒ +〈〉〈POSTMESSAGE,s′.w.nonce,s′.d.origin,message〉

100: end if101: stop 〈〉, s′

102: caseelse103: stop 〈〉, s′

104: end function

The functionPROCESSRESPONSE is responsible for processing an HTTP response (response) thatwas received as the response to a request (request) that was sent earlier. Inreference, either a windowor a document reference is given (see explanation for Algorithm 4 above).requestUrlcontains the URLused when retrieving the document.

22Note that navigating a window using the back/forward buttons does not trigger a reload of the affected documents. Whilereal world browser may chose to refresh a document in this case, we assume that the complete state of a previously vieweddocument is restored. A reload can be triggered non-deterministically at any point (in the main algorithm).

48

The function first saves any cookies that were contained in the response to the browser state, thenchecks whether a redirection is requested (Location header). If that is not the case, the function createsa new document (for normal requests) or delivers the contents of the response to the respective receiver(for XHR responses).

Algorithm 6 Process an HTTP response.

1: function PROCESSRESPONSE(response, reference, request, requestUrl, s′)2: if Set-Cookie∈ response.headers then3: for eachc∈〈〉 response.headers[Set-Cookie], c∈ Cookies do4: let s′.cookies [request.host]

→֒ := AddCookie(s′.cookies [request.host] ,c)5: end for6: end if7: if Strict-Transport-Security∈ response.headers ∧ requestUrl.protocol≡ S then8: let s′.sts := s′.sts +〈〉 request.host9: end if

10: if Referer∈ request.headers then11: let referrer := request.headers[Referer]12: else13: let referrer := ⊥14: end if15: if Location∈ response.headers∧ response.status∈ {303,307} then16: let url := response.headers[Location]17: if url.fragment≡⊥ then18: let url.fragment := requestUrl.fragment19: end if20: let method′ := request.method21: let body′ := request.body22: if Origin∈ request.headers then23: let origin := 〈request.headers[Origin],〈request.host,url.protocol〉〉24: else25: let origin := ⊥26: end if27: if response.status≡ 303∧ request.method 6∈ {GET,HEAD} then28: let method′ := GET

29: let body′ := 〈〉30: end if31: if ∄w∈ Subwindows(s′) such thats′.w.nonce≡ referencethen

⊲ Do not redirect XHRs.32: stop 〈〉, s33: end if34: let req := 〈HTTPReq,ν6,method′,url.host,url.path,〈〉,url.parameters,body′〉35: SEND(reference, req, url, origin, referrer, s′)36: end if37: if ∃w∈ Subwindows(s′) such thats′.w.nonce≡ referencethen

⊲ normal response38: if response.body 6∼ 〈∗,∗〉 then39: stop{}, s′

40: end if41: let script := π1(response.body)42: let scriptstate:= π2(response.body)43: let d := 〈ν7, requestUrl, referrer,script,scriptstate,〈〉,〈〉,⊤〉44: if s′.w.documents≡ 〈〉 then

49

45: let s′.w.documents := 〈d〉46: else47: let i ← N such thats′.w.documents.i.active≡⊤48: let s′.w.documents.i.active := ⊥49: removes′.w.documents.(i +1) and all following documents

→֒ from s′.w.documents50: let s′.w.documents := s′.w.documents+〈〉 d51: end if52: stop{}, s′

53: else if∃w∈ Subwindows(s′), d such thats′.d.nonce≡ π1(reference)→֒ ∧ s′.d = s′.w.activedocument then ⊲ process XHR response

54: let s′.d.scriptinputs := s′.d.scriptinputs+〈〉

〈XMLHTTPREQUEST, response.body,π2(reference)〉55: end if56: end function

Main Algorithm.. This is the main algorithm of the browser relation. It receives the messagemas input,as well asa, f andsas above.

Algorithm 7 Main Algorithm

Input: 〈a, f ,m〉,s1: let s′ := s2: if s.isCorrupted 6≡ ⊥ then3: let s′.pendingRequests := 〈m,s.pendingRequests〉 ⊲ Collect incoming messages4: let m′ ← dV(s′)5: let a′← IPs

6: stop 〈〈a′,a,m′〉〉, s′

7: end if8: if m≡ TRIGGER then ⊲ A special trigger message.9: let switch← {1,2,3}

10: if switch≡ 1 then ⊲ Run some script.11: let w← Subwindows(s′) such thats′.w.documents 6= 〈〉

→֒ if possible; otherwise stop〈〉, s′

12: let d := w+〈〉 activedocument13: RUNSCRIPT(w, d, s′)14: else ifswitch≡ 2 then ⊲ Create some new request.15: let w′ := 〈ν1,〈〉,⊥〉16: let s′.windows := s′.windows+〈〉 w′

17: let protocol← {P,S}18: let host← Doms

19: let path← S20: let fragment← S21: let parameters← [S×S]22: let url := 〈URL,protocol,host,path,parameters, fragment〉23: let req := 〈HTTPReq,ν2,GET,host,path,〈〉,parameters,〈〉〉24: SEND(ν1, req, url,⊥, s′)25: else ifswitch≡ 3 then ⊲ Reload some document.26: let w← Subwindows(s′) such thats′.w.documents 6= 〈〉

→֒ if possible; otherwise stop〈〉, s′

27: let url := s′.w.activedocument.location28: let req := 〈HTTPReq,ν2,GET,url.host,url.path,〈〉,url.parameters,〈〉〉29: let referrer := s′.w.activedocument.referrer30: let s′ := CANCELNAV(s′.w.nonce,s′)31: SEND(s′.w.nonce, req, url,⊥, referrer, s′)

50

32: end if33: else ifm≡ FULLCORRUPT then ⊲ Request to corrupt browser34: let s′.isCorrupted := FULLCORRUPT

35: stop 〈〉, s′

36: else ifm≡ CLOSECORRUPT then ⊲ Close the browser37: let s′.secrets := 〈〉38: let s′.windows := 〈〉39: let s′.pendingDNS := 〈〉40: let s′.pendingRequests := 〈〉41: let s′.sessionStorage := 〈〉42: let s′.cookies⊂〈〉 Cookies such that

→֒ (c∈〈〉 s′.cookies)⇐⇒ (c∈〈〉 s.cookies∧c.content.session≡⊥)43: let s′.isCorrupted := CLOSECORRUPT

44: stop 〈〉, s′

45: else if∃〈reference, request,url,key, f 〉 ∈〈〉 s′.pendingRequests→֒ such thatπ1(decs(m,key))≡ HTTPResp then ⊲ Encrypted HTTP response

46: let m′ := decs(m,key)47: if m′.nonce 6≡ request.nonce then48: stop 〈〉, s49: end if50: remove〈reference, request,url,key, f 〉 from s′.pendingRequests51: PROCESSRESPONSE(m′, reference, request, url, s′)52: else ifπ1(m)≡ HTTPResp ∧ ∃〈reference, request,url,⊥, f 〉 ∈〈〉 s′.pendingRequests

→֒ such thatm′.nonce≡ request.key then53: remove〈reference, request,url,⊥, f 〉 from s′.pendingRequests54: PROCESSRESPONSE(m, reference, request, url, s′)55: else ifm∈ DNSResponses then ⊲ Successful DNS response56: if m.nonce 6∈ s.pendingDNS∨m.result 6∈ IPs∨m.domain 6≡ π2(s.pendingDNS).host then57: stop 〈〉, s58: end if59: let 〈reference,message,url〉 := s.pendingDNS[m.nonce]60: if url.protocol≡ S then61: let s′.pendingRequests := s′.pendingRequests

→֒ +〈〉〈reference, message, url, ν3, m.result〉62: let message:= enca(〈message,ν3〉,s′.keyMapping[message.host])63: else64: let s′.pendingRequests := s′.pendingRequests

→֒ +〈〉〈reference, message, url,⊥, m.result〉65: end if66: let s′.pendingDNS := s′.pendingDNS−m.nonce67: stop 〈〈m.result,a,message〉〉, s′

68: end if69: stop 〈〉, s

E. Formal Model of OAuth

We here present the full details of our formal model of OAuth which we use to analyze the authenticationproperties.

We model OAuth as a web system (in the sense of AppendixB.3). We call a web systemOWS =(W ,S ,script,E0) anOAuth web systemif it is of the form described in what follows.

51

E.1. Outline

The systemW = Hon∪Net consists of network attacker processes (inNet), a finite setB of webbrowsers, a finite setRP of web servers for the relying parties, a finite setIDP of web servers for theidentity providers, withHon := B∪RP∪ IDP. More details on the processes inW are provided below.We do not model DNS servers, as they are subsumed by the network attacker. Figure13 shows the setof scriptsS and their respective string representations that are defined by the mappingscript. The setE0

contains only the trigger events as specified in AppendixB.3.

s∈ S script(s)

Ratt att_scriptscript_rp_index script_rp_indexscript_rp_implicit script_rp_implicitscript_idp_form script_idp_form

Figure 13. List of scripts inS and their respective string representations.

This outlinesOWS . We will now define the DY processes inOWS and their addresses, domain names,and secrets in more detail.

E.2. Addresses and Domain Names

The setIPs contains for every network attacker inNet, every relying party inRP, every identity providerin IDP, and every browser inB a finite set of addresses each. Byaddr we denote the correspondingassignment from a process to its address. The setDoms contains a finite set of domains for every relyingparty inRP, every identity provider inIDP, and every network attacker inNet. Browsers (inB) do nothave a domain.

By addr anddom we denote the assignments from atomic processes to sets ofIPs andDoms, respec-tively.

E.3. Keys and Secrets

The setN of nonces is partitioned into five sets, an infinite sequenceN, an infinite setKSSL, an infinitesetKsign, and finite setsPasswords, RPSecrets′ andProtectedResources. We thus have

N = N︸︷︷︸

infinite sequence

∪̇KSSL︸︷︷︸

finite

∪̇Passwords︸︷︷︸

finite

∪̇RPSecrets′︸︷︷︸

finite

∪̇ProtectedResources︸︷︷︸

finite

.

We then defineRPSecrets := RPSecrets∪{⊥}. These sets are used as follows:

• The setN contains the nonces that are available for each DY process inW (it can be used to createa run ofW ).

• The setKSSL contains the keys that will be used for SSL encryption. Letsslkey : Doms→ KSSL

be an injective mapping that assigns a (different) private key to every domain. For an atomic DYprocessp we definesslkeysp = 〈{〈d,sslkey(d)〉 | d ∈ dom(p)}〉.

• The setPasswords is the set of passwords (secrets) the browsers share with theidentity providers.These are the passwords the users use to log in at the IdPs.

52

• The setRPSecrets is the set of passwords (secrets) the relying parties share with the identityproviders. These are the passwords the relying parties use to log in at the IdPs. The passwordscan also be blank (⊥).

• The setProtectedResources contains a secret for each combination of IdP, client, and user. Theseare thought of as protected resources that only the owner of the resource (i.e., the user) should beable to read.

E.4. Identities, Passwords, and Protected Resources

Identites consist, similar to email addresses, of a user name and a domain part. For our model, this isdefined as follows:

Definition 40. An identity (email address)i is a term of the form〈name,domain〉 with name∈ S anddomain∈ Doms.

Let ID be the finite set of identities. ByIDy we denote the set{〈name,domain〉 ∈ ID |domain∈dom(y)}.

We say that an ID isgovernedby the DY process to which the domain of the ID belongs. Formally,we define the mappinggovernor : ID→W , 〈name,domain〉 7→ dom−1(domain).

The governor of an ID will usually be an IdP, but could also be the attacker. Besidesgovernor, we definethe following mappings:

• By secretOfID : ID→ Passwords we denote the bijective mapping that assigns secrets to all iden-tities.

• Let ownerOfSecret : Passwords → B denote the mapping that assigns to each secret abrowser thatowns this secret. Now, we define the mappingownerOfID : ID → B, i 7→ownerOfSecret(secretOfID(i)), which assigns to each identity the browser that owns this iden-tity (we say that the identity belongs to the browser).

• Let trustedRPs : Passwords→ 2RP denote a mapping that assigns a set oftrusted relying partiesto each password. Intuitively a trusted relying party is a relying party the user entrusts with herpassword (in the resource owner password credentials grantmode of OAuth).

• Let clientIDOfRP : RP× IDP→ S denote a mapping that assigns an OAuth client id for an re-lying party to each combination of a relying party and an identity provider. We require thatclientIDOfRP(·, i) is bijective for anyi ∈ IDP.

• Let secretOfRP : RP× IDP→ RPSecrets denote a bijective mapping that assigns a relying partypassword (or the empty password⊥) to each combination of a relying party and an identityprovider.

• As a shortcut, we define the mappingsecretOfClientID : S× IDP → RPSecrets to return therelying party password to a relying party identified by an OAuth client id (at some specificidentity provider), i.e.,secretOfClientID(s, i) maps tosecretOfRP(r, i) with r such thats =clientIDOfRP(r, i).

• By resourceOf : IDP×RP× (ID∪{⊥})→ ProtectedResources we denote the injective mappingthat assigns a protected resource to each combination of user identity, IdP and client (RP). Wealso include protected resources that are not assigned to a specific user (in this case, the user is⊥).(Note that a protected resource depends not only on the IdP and user ID but also the RP. This is

53

motivated by the fact that different RPs may get access to different protected resources at one IdP,even if they access the resources of the same user.)

E.5. Corruption

RPs and IdPs can become corrupted: If they receive the message CORRUPT, they start collecting allincoming messages in their state and (upon triggering) sendout all messages that are derivable fromtheir state and collected input messages, just like the attacker process. We say that an RP or an IdP ishonestif the according part of their state (s.corrupt) is⊥, and that they are corrupted otherwise.

We are now ready to define the processes inW as well as the scripts inS in more detail.

E.6. Processes in W (Overview)

We first provide an overview of the processes inW . All processes inW contain in their initial statesall public keys and the private keys of their respective domains (if any). We defineI p = addr(p) for allp∈ Hon.

Network Attacker. There is one atomic DY processna∈ Net which is a network attacker (see Ap-pendixB.3), who uses all addresses for sending and listening.

Browsers. Eachb∈ B is a web browser as defined in AppendixD. The initial state contains all secretsowned byb, stored under the origins of the respective IdP and of all trusted RPs for the respective secret.See AppendixE.8for details.

Relying Parties. Each relying party is a web server modeled as an atomic DY process following thedescription in Section2 and the fixes discussed in Section3. The RP can either (at any time) launcha client credentials mode flow or wait for users to start any ofthe other flows. RP manages two kindsof sessions: Thelogin sessions, which are only used during the login phase of a user, and theservicesessions(modeled by aservice tokenas described above).

When receiving a special message (CORRUPT) RPs can become corrupted. Similar to the definition ofcorruption for the browser, RPs then start sending out all messages that are derivable from their state.

Identity Providers. Each IdP is a web server modeled as an atomic DY process following the descrip-tion in Section2 and the fixes discussed in Section3. In particular, users can authenticate to the IdPwith their credentials. Authenticated users can interact with the authorization endpoint of the IdP (e.g.,to acquire an authorization code). Just as RPs, IdPs can become corrupted.

E.7. Network Attackers

As mentioned, the network attackerna is modeled to be a network attacker as specified in AppendixB.3.We allow it to listen to/spoof all available IP addresses, and hence, defineIna = IPs. The initial state issna0 = 〈attdoms,sslkeys,signkeys〉, whereattdomsis a sequence of all domains along with the correspond-

ing private keys owned by the attackerna, sslkeysis a sequence of all domains and the correspondingpublic keys, andsignkeysis a sequence containing all public signing keys for all IdPs.

E.8. Browsers

Eachb∈ B is a web browser as defined in AppendixD, with Ib := addr(b) being its addresses.To define the inital state, first letIDb := ownerOfID−1(b) be the set of all IDs ofb. We then define the

set of passwords that a browserb gives to an origino to consist of two parts: (1) If the origin belongsto an IdP, then the user’s passwords of this IdP are containedin the set. (2) If the origin belongs to an

54

RP, then those passwords with which the user entrusts this RPare contained in the set. To define thismapping in the initial state, we first define for some processp

Secretsb,p ={

s∣∣∣ b= ownerOfSecret(s)∧

((∃ i : s= secretOfID(i)∧ i ∈ governor−1(p))

∨ (∃R : p∈ R∧s∈ trustedRPs−1(R)))}

.

Then, the initial statesb0 is defined as follows: the key mapping maps every domain to itspublic (ssl)

key, according to the mappingsslkey; the DNS address is an address of the network attacker; the list ofsecrets contains an entry〈〈d,S〉,〈Secretsb,p〉〉 for eachp∈ RP∪ IDP andd ∈ dom(p); ids is 〈IDb〉; stsis empty.

E.9. Relying Parties

A relying partyr ∈RP is a web server modeled as an atomic DY process(I r ,Zr ,Rr ,sr0) with the addresses

I r := addr(r). Its initial statesr0 contains its domains, the private keys associated with its domains, the

DNS server address, and information about IdPs RP is registered at. The full state additionally containsthe sets of service tokens and login session identifiers the RP has issued as well as information aboutpending DNS and pending HTTPS requests (similar to browsers). RP only accepts HTTPS requests.

RP manages two kinds of sessions: Thelogin sessions, which are only used during the login phaseof a user, and theservice sessions(we call the session identifier of a service session aservice token).Service sessions allow a user to use RP’s services. The ultimate goal of a login flow is to establish sucha service session.

We now first describe howr can become corrupted, then we describe the handling of DNS and HTTPSrequests and responses, before we describe the behaviour ofr during a login flow.

Corruption. Whenr receives a corrupt message, it becomes corrupt and acts likethe attacker from thenon (i.e., it collects all incoming messages and non-deterministically sends out all messages derivablefrom its state).

Pending DNS Requests and Pending HTTPS Requests.Since the RPr also acts as an HTTPS client, itmanages two kinds of records for messages that have been sentout into the network and are waitingfor corresponding responses. When an HTTPS message is to be sent, the RP first needs to resolve thehostname into an IP address. To this end, the RP first stores the HTTPS request (together with somestate information) in a subterm of its state calledpendingDNSand (instead of sending the HTTPS requestimmediately) sends out a DNS request to the DNS server. When aDNS response arrives that matchesone of the entries in this subterm, the HTTPS request is sent out over the network (to the resolved IPaddress) and stored in the subtermpendingRequestsof the RP’s state. Note that this mechanism is verysimilar to (generic) browsers (see AppendixD).

Initial Request.In a typical flow,r will first receive an HTTP GET request from a browser for the path/. In this case,r returns the scriptscript_rp_index. In the browser, this script non-deterministicallyselects an identity of the user, i.e., a combination of a username and a domain of an IdP. Further thisscript non-deterministically decides whether an interactive login (i.e., authorization code mode or im-plicit mode) or a non-interactive login (i.e., resource owner password credentials mode) is used. If aninteractive login is chosen, the script instructs the browser to send an HTTPS POST request tor for thepath/startInteractiveLogin. This POST request contains in its body the domain of the IdP.23 If

23Note that while the script has selected an identity of the user, only the domain of the IdP is used in this case and duringthe authentication to the IdP, a different username may be chosen.

55

the script chooses a non-interactive login, the domain of the IdP, the username, and the user’s passwordare sent tor in an HTTPS POST request for the path/passwordLogin.

As the flow now forks into different branches, we will explain(the first part of) each of these branchesseparately: If the script has chosen to run an interactive login, we continue our description in the para-graphInteractive Loginbelow. Else, if the script has chosen to run a non-interactive login, we continueour description of this in the paragraphNon-Interactive Login.

Interactive Login. In this case,script_rp_index has sent an HTTPS POST request for the path/startInteractiveLogin to r containing the name of an IdP in its body. Whenr receives such arequest,r non-deterministically decides whether the OAuth authorization code mode or the OAuth im-plicit mode is used. Also,r non-deterministically selects a redirect URIredirect_uri of its redirectionendpoints (and appends the domain of the IdP to this redirectURI) or selects no redirect URI. Further,rnon-deterministically selects a (fresh) noncestateand a (fresh) nonce as login session id. Then,r savesall the chosen information in its state. Now,r constructs and sends an HTTPS response containing anHTTP 303 location redirect or an HTTP 307 location redirect24 (chosen non-deterministically) whichpoints to the corresponding authorization endpoint at the IdP along withr ’s OAuth client id for thisIdP, stateand information which OAuth moder has chosen. Additionally, this response also containsa Set-Cookie header, which sets a cookie containing the login session id.r also stores a record in thesubtermloginSessionsof its state. This record contains the login session id, the chosen OAuth mode,and the domain of the IdP.

Later, when IdP redirects the user’s browser tor ’s redirection endpoint,r will receive an HTTPSGET request for the path/redirectionEndpoint. This request must contain a login session id cookie,which refers to the information stored in the subtermloginSessionsin r ’s state. The request must alsocontain a parameter with the domain of the IdP and this domainmust match the domain stored for thislogin session.

If r has stored that for this login session the OAuth authorization code mode is used,r checks if thestatevalue contained in a parameter is correct (i.e., the value ofthis parameter is congruent to the valuerecorded inr ’s state). Then,r extracts the authorization codecodefrom the parameters of the incomingrequest and prepares an HTTPS POST request to the IdP’s tokenendpoint to obtain an access token asfollows: r adds the authorization code to the request’s body. If a redirect URI has been set byr before(according tor ’s state for this login session), the redirect URI is included in the request’s body. Ifrknows an OAuth client secret for the IdP,r adds its OAuth client id and its OAuth client secret for theIdP to the header of the request, elser adds its OAuth client id for the IdP to the request’s body. Now,r sends a DNS request for the domain of the IdP’s token endpointto the DNS server (according tor ’sstate), saves this (prepared) request and all information belonging to the (incoming) HTTPS requestrreceived from the browser (such as IP addresses, temporary HTTPS keys) inpendingDNSin its state.We will continue our description of which requestsr will process next in the OAuth authorization codemode in the paragraphToken Responsebelow.

If the (incoming) HTTPS request’s login session atr states that implicit mode is used,r instead sendsan HTTPS response to the sender of the incoming message. ThisHTTPS response contains the scriptscript_rp_implicit and the initial state for this script in this response contains the domain of the IdP.

In a browser, this script extractsaccess_tokenandstatefrom the fragment part of its URL and extractsthe domain of the IdP from its initial state. The script then sends this information in the body of anHTTPS POST request for the path/receiveTokenFromImplicitGrant to r.

Whenr receives such an HTTPS POST request (for the path/receiveTokenFromImplicitGrant),r checks if this request contains a login session id cookie, which refers to the information stored in its

24Note that while in this paper we present an attack against OAuth based on an HTTP 307 location redirect, our analysisshows that an HTTP 307 location redirect is safe at this pointin the protocol flow.

56

state and if the values ofstateand idp (contained in the request) match the information there. Next, rprepares an HTTPS request to IdP’s inspection endpoint containing the access token just received.rsaves all information belonging to this new request and the (incoming) request it had just received inpendingDNSin its state and sends out a DNS request for the domain of the IdP’s inspection endpoint tothe DNS server.

We describe what happens whenr later receives the response from IdP in the paragraphInspectionResponsebelow.

Non-Interactive Login.In this case,script_rp_index has sent an HTTPS POST request for the path/passwordLogin to r containing a domain of an IdP, a username and a user’s password in its body.Next, r constructs an HTTPS POST request to the token endpoint of theIdP. This request containsthe username and the user’s password in its body and ifr knows an OAuth client secret for the IdP,the request contains an HTTP header withr ’s OAuth client id and OAuth client secret.r saves allinformation belonging to this new request and the (incoming) requestr has just received in the subtermpendingDNSin r ’s state and sends out a DNS request for the domain of the IdP’stoken endpoint to theDNS server.

We describe what happens whenr later receives the response from the IdP in the paragraphTokenResponsebelow.

Client Credentials Mode. When r receives aTRIGGER message (which models thatr non-deterministically starts an OAuth flow in the client credentials mode),r first non-deterministically se-lects a domain of an IdP. Then,r constructs an HTTPS POST request to the token endpoint of theIdP.This request contains an HTTP header withr ’s OAuth client id and OAuth client secret.25 r saves allinformation belonging to this (prepared) request inpendingDNSand sends out a DNS request for thedomain of the IdP’s token endpoint to the DNS server.

We describe what happens whenr later receives the response from IdP in the paragraphToken Re-sponsebelow.

Token Response.When r receives an encrypted HTTP response that matches a record inthe subtermpendingRequestsof its state and belongs to a request for an access token from an IdP (according tothe information recorded inpendingRequests), thenr extracts the access token and prepares an HTTPSrequest to the IdP’s inspection endpoint containing the access token.r saves all information belongingto this new request inpendingDNS. Further,r also stores selected information, which is passed along inr ’s state in the corresponding record of the incoming request, such as the IP address of the sender andthe HTTPS response key of the request which initiatedr ’s request for the access token before. Then,rsends out a DNS request for the domain of the IdP’s inspectionendpoint to the DNS server.

Inspection Response.Whenr receives an encrypted HTTP response that matches a record inthe subtermpendingRequestsin its state and this record belongs to a request to an IdP’s inspection endpoint,rbehaves as follows: If the response belongs to a flow in clientcredentials mode (according to the record),r stops. Else, if the response containsr ’s OAuth client id,r retrieves the user id from the response andnon-deterministically chooses a fresh nonce as a service token. r records in its state that the servicetoken belongs to this user at the IdP. Now,r sends out an HTTPS response to the IP address recorded inthe record inpendingRequests(which contains the IP address of the browser, which initially sent eitheruser credentials, an authorization code, or an access token). This response contains the service token.

This concludes the description of the behaviour of an RP.

Formal description. We now provide the formal definition ofr as an atomic DY process(I r ,Zr ,Rr ,sr0).

25Note that in our model,r may even construct such a request ifr does not have an OAuth client secret for the IdP. In thiscase, the symbol⊥ is placed in this header instead of an OAuth client secret. The IdP, however, will drop such a request, as itis not authenticated.

57

As mentioned, we defineI r = addr(r). Next, we define the setZr of states ofr and the initial statesr0

of r.

Definition 41. An IdP registration recordis a term of the form

〈tokenEndpoint,authorizationEndpoint, inspectionEndpoint,clientId,clientPassword〉

with tokenEndpoint, authorizationEndpoint, inspectionEndpoint∈ URLs, clientId ∈ S, andclientPassword∈N .

An IdP registration record for an identity provider i at a relying party r is an IdP registration recordwith tokenEndpoint.host, authorizationEndpoint.host, inspectionEndpoint.host ∈ dom(i), clientId=clientIDOfRP(r, i), andclientPassword= secretOfRP(r, i).

Definition 42. A state s∈ Zr of an RP r is a term of the form〈DNSAddress, idps, serviceTokens,loginSessions, keyMapping, sslkeys, pendingDNS, pendingRequests, corrupt〉 where DNSAddress∈IPs, idps ∈

[Doms×TN

]is a dictionary of IdP registration records,serviceTokens∈

[N ×TN

],

loginSessions∈[N ×TN

]is a dictionary of login session records,keyMapping∈ [S×N ], sslkeys=

sslkeysr , pendingDNS∈[N ×TN

], pendingRequests∈

[N ×TN

], corrupt∈ TN .

An initial state sr0 of r is a state ofr with sr0.idps being a dictionary that maps each domain of all

identity providersi to an IdP registration record fori atr, sr0.serviceTokens= sr

0.loginSessions= 〈〉,sr0.corrupt=⊥, andsr

0.keyMapping is the same as the keymapping for browsers above.

We now specify the relationRr . Just like in AppendixD, we describe this relation by a non-deterministic algorithm. In several places throughout this algorithm we use placeholders to generate“fresh” nonces as described in our communication model (seeDefinition1). Figure14shows a list of allplaceholders used.

Placeholder Usage

ν1 new HTTP request nonceν2 lookup key for pending DNS entryν3 new service tokenν4 fresh HTTPS response keyν5 new HTTP request nonceν6 lookup key for pending DNS entryν7 new CSRF tokenν8 new login session cookieν9 new HTTP request nonceν10 lookup key for pending DNS entryν11 new HTTP request nonceν12 lookup key for pending DNS entryν13 new HTTP request nonceν14 lookup key for pending DNS entry

Figure 14. List of placeholders used in the relying party algorithm.

Algorithm 8 Relation of a Relying PartyRr

Input: 〈a, f ,m〉,s1: if s′.corrupt 6≡ ⊥∨m≡ CORRUPT then

58

2: let s′.corrupt := 〈〈a, f ,m〉,s′.corrupt〉3: let m′ ← dV(s′)4: let a′← IPs

5: stop 〈〈a′,a,m′〉〉, s′

6: end if7: if ∃〈reference, request,key, f 〉 ∈〈〉 s′.pendingRequests→֒ such thatπ1(decs(m,key))≡ HTTPResp then ⊲ Encrypted HTTP response

8: let m′ := decs(m,key)9: if m′.nonce 6≡ request.nonce then

10: stop 〈〉, s11: end if12: remove〈reference, request,key, f 〉 from s′.pendingRequests13: let mode:= π1(reference)14: if mode≡ code∨mode≡ password∨mode≡ client_credentials then15: let idp, a′, f ′, n′, k′ such that 〈mode, idp,a′, f ′,n′,k′〉 ≡ referenceif possible; otherwise stop〈〉, s16: let token:= m′.body[access_token]17: let inspectionEndpoint:= s′.idps[idp]18: let parameters:= inspectionEndpoint.parameters19: let parameters:= parameters+〈〉〈token, token〉20: let host:= inspectionEndpoint.domain21: let path:= inspectionEndpoint.path22: let message:= 〈HTTPReq,ν1,GET,host,path,parameters,〈〉,〈〉〉23: let s′.pendingDNS[ν2] := 〈〈inspect,mode, idp,a′, f ′,n′,k′〉,message〉24: stop 〈〈s′.DNSaddress,a,〈DNSResolve, inspectionEndpoint.domain,ν2〉〉〉, s′

25: else ifmode≡ inspect then26: let mode, idp, a′, f ′, n′, k′ such that 〈inspect,mode, idp,a′, f ′,n′,k′〉 ≡ reference

→֒ if possible; otherwise stop〈〉, s27: if mode≡ client_credentials then28: stop 〈〉, s ⊲ In client credential grant mode, no service token is issued.29: end if30: let clientId := body[client_id]31: if clientId≡ s′.idps[idp].clientId∨ (clientId≡ 〈〉∧mode≡ password∧

→֒ s′.idps[idp].clientPassword≡⊥) then32: let user:= body[user]33: else34: stop 〈〉, s35: end if36: let serviceToken:= ν3

37: let s′.serviceTokens[serviceToken] := 〈user, idp〉38: let m′ := encs(〈HTTPResp,n′,200,〈〉,〈serviceToken〉〉,k′)39: stop 〈〈 f ′,a′,m′〉〉,s′

40: end if41: stop 〈〉, s42: else ifm∈ DNSResponses then ⊲ Successful DNS response43: if m.nonce 6∈ s.pendingDNS∨m.result 6∈ IPs∨m.domain 6≡ π2(s.pendingDNS).host then44: stop 〈〉, s45: end if46: let 〈reference,message〉 := s.pendingDNS[m.nonce]47: let s′.pendingRequests := s′.pendingRequests

→֒ +〈〉〈reference, message, ν4, m.result〉48: let message:= enca(〈message,ν4〉,s′.keyMapping[message.host])49: let s′.pendingDNS := s′.pendingDNS−m.nonce50: stop 〈〈m.result,a,message〉〉, s′

51: else ifm≡ TRIGGER then ⊲ Start Client Credentials Grant

59

52: let idpEntry← s′.idps53: let idp := π1(idpEntry)54: let tokenEndpoint:= s′.idps[idp].tokenEndpoint ⊲ tokenEndpointis a URL55: let host:= tokenEndpoint.domain56: let path:= tokenEndpoint.path57: let parameters:= tokenEndpoint.parameters58: let headers:= 〈〈Authorization,〈s′.idps[idp].clientId,s′.idps[idp].clientPassword〉〉〉59: let message:=

→֒ 〈HTTPReq,ν5,POST,host,path,parameters,headers,〈〈grant_type,client_credentials〉〉〉60: let s′.pendingDNS[ν6] := 〈〈client_credentials, idp,⊥,⊥,⊥,⊥〉,message〉61: stop 〈〈s′.DNSaddress,a,〈DNSResolve, idp.tokenEndpoint.domain,ν6〉〉〉, s′

62: else ⊲ Handle HTTP requests63: let mdec, k, k′, inDomainsuch that

→֒ 〈mdec,k〉 ≡ deca(m,k′)∧〈inDomain,k′〉 ∈ s.sslkeys→֒ if possible; otherwise stop〈〉, s

64: let n, method, path, parameters, headers, bodysuch that→֒ 〈HTTPReq,n,method, inDomain,path,parameters,headers,body〉 ≡mdec

→֒ if possible; otherwise stop〈〉, s65: if path≡ / then ⊲ Serve index page.66: let m′ := encs(〈HTTPResp,n,200,〈〉,〈script_rp_index,〈〉〉〉,k)67: stop 〈〈 f ,a,m′〉〉, s′

68: else ifpath≡ /startInteractiveLogin∧method≡ POST then ⊲ Serve start interactive login request.69: let idp := body70: if idp 6∈ s′.idps then71: stop 〈〉, s72: end if73: let state:= ν7

74: let mode← {code,token}75: let responseStatus← {303,307}76: let authEndpoint:= s′.idps[idp].authorizationEndpoint ⊲ authEndpointis a URL77: let authEndpoint.parameters := authEndpoint.parameters+〈〉〈response_type,mode〉78: let authEndpoint.parameters := authEndpoint.parameters+〈〉

→֒ 〈client_id,s′.idps[idp].clientId〉79: let authEndpoint.parameters := authEndpoint.parameters+〈〉〈state,state〉80: let redirectUri← {⊥,⊤}81: if redirectUri≡⊤ then82: let sslkey′ ← s′.sslkeys ⊲ Choose one of RP’s domains non-deterministically83: let host′ := π1(sslkey′)84: let redirectUri := 〈URL,S,host′,/redirectionEndpoint,〈〈idp, idp〉〉,〈〉〉85: end if86: let loginSessionId:= ν8

87: let s′.loginSessions := s′.loginSessions+〈〉〈loginSessionId,〈idp,state,mode, redirectUri〉〉88: let setCookies:= 〈〈loginSessionId, loginSessionId,⊤,⊤,⊤〉〉89: let m′ := encs(〈HTTPResp,n, responseStatus,〈〈Location,authEndpoint〉,

→֒ 〈Set-Cookie,setCookies〉〉,⊥〉,k)90: stop 〈〈 f ,a,m′〉〉, s′

91: else ifpath≡ /redirectionEndpoint then92: let loginSessionId:= headers[Cookie][loginSessionId]93: let idp, state, mode, redirectUri such that 〈idp,state,mode, redirectUri〉 ≡

→֒ s′.loginSessions[loginSessionId] if possible; otherwise stop〈〉, s94: if idp 6≡ parameters[idp] then95: stop 〈〉, s96: end if97: if mode≡ code then ⊲ Continue Authorization Code Grant

60

98: if parameters[state] 6≡ statethen99: stop 〈〉, s100: end if101: let code:= parameters[code]102: let tokenRequestHeaders:= 〈〉103: let tokenRequestBody:= 〈〈grant_type,authorization_code〉,〈code,code〉〉104: if redirectUri 6≡ ⊥ then105: let tokenRequestBody:= tokenRequestBody+〈〉〈redirect_uri, redirectUri〉106: end if107: let clientId := s′.idps[idp].clientId108: let clientPassword:= s′.idps[idp].clientPassword109: if clientPassword≡⊥ then110: let tokenRequestBody:= tokenRequestBody+〈〉〈client_id,clientId〉111: else112: let tokenRequestHeaders:= tokenRequestHeaders+〈〉

→֒ 〈Authorization,〈clientId,clientPassword〉〉113: end if114: let tokenEndpoint:= s′.idps[idp].tokenEndpoint115: let message := 〈HTTPReq,ν9,POST, tokenEndpoint.domain, tokenEndpoint.path,

tokenEndpoint.parameters, tokenRequestHeaders, tokenRequestBody〉116: let s′.pendingDNS[ν10] := 〈〈code, idp,a, f ,n,k〉,message〉117: stop 〈〈s′.DNSaddress,a,〈DNSResolve, tokenEndpoint.domain,ν10〉〉〉, s′

118: else ifmode≡ token then ⊲ Continue Implicit Grant119: let m′ := encs(〈HTTPResp,n,200,〈〉,〈script_rp_implicit, idp〉〉,k)120: stop 〈〈 f ,a,m′〉〉, s′

121: end if122: stop 〈〉, s123: else ifpath≡ /passwordLogin∧method≡ POST then124: let idp, username, passwordsuch that 〈〈username, idp〉,password〉 ≡ bodyif possible; otherwise

→֒ stop 〈〉, s125: let tokenRequestHeaders:= 〈〉126: let tokenRequestBody:= 〈〈grant_type,password〉,〈username,〈username, idp〉〉,

→֒ 〈password,password〉〉127: let clientId := s′.idps[idp].clientId128: let clientPassword:= s′.idps[idp].clientPassword129: if clientPassword6≡ ⊥ then130: let tokenRequestHeaders:= tokenRequestHeaders+〈〉

→֒ 〈Authorization,〈clientId,clientPassword〉〉131: end if132: let tokenEndpoint:= s′.idps[idp].tokenEndpoint133: let message := 〈HTTPReq,ν11,POST, tokenEndpoint.domain, tokenEndpoint.path,

tokenEndpoint.parameters, tokenRequestHeaders, tokenRequestBody〉134: let s′.pendingDNS[ν12] := 〈〈password, idp,a, f ,n,k〉,message〉135: stop 〈〈s′.DNSaddress,a,〈DNSResolve, tokenEndpoint.domain,ν12〉〉〉, s′

136: else ifpath≡ /receiveTokenFromImplicitGrant∧method≡ POST then137: let loginSessionId:= headers[Cookie][loginSessionId]138: let idp, state, mode, redirectUri such that 〈idp,state,mode, redirectUri〉 ≡

→֒ s′.loginSessions[loginSessionId] if possible; otherwise stop〈〉, s139: let tokensuch that 〈token,state, idp〉 ≡ bodyif possible; otherwise stop〈〉, s140: let inspectionEndpoint:= s′.idps[idp].inspectionEndpoint ⊲ inspectionEndpointis a URL141: let parameters′ := inspectionEndpoint.parameters142: let parameters′ := parameters′ +〈〉〈token, token〉143: let host:= inspectionEndpoint.domain144: let path′ := inspectionEndpoint.path

61

145: let message:= 〈HTTPReq,ν13,GET,host,path′,parameters′,〈〉,〈〉〉146: let s′.pendingDNS[ν14] := 〈〈inspect,implicit, idp,a, f ,n,k〉,message〉147: stop 〈〈s′.DNSaddress,a,〈DNSResolve, inspectionEndpoint.domain,ν14〉〉〉, s′

148: end if149: end if150: stop 〈〉, s

In the following scripts, to extract the current URL of a document, the functionGETURL(tree,docnonce) is used. We define this function as follows: It searches for the documentwith the identifierdocnoncein the (cleaned) treetreeof the browser’s windows and documents. It thenreturns the URLu of that document. If no document with noncedocnonceis found in the treetree, ✸ isreturned.

Algorithm 9 Relation ofscript_rp_index

Input: 〈tree, docnonce, scriptstate, scriptinputs, cookies, localStorage, sessionStorage, ids, secrets〉1: let url := GETURL(tree,docnonce)2: let id← ids3: let interactive← {⊥,⊤}4: if interactive≡⊤ then5: let url′ := 〈URL,S,url.host,/startInteractiveLogin,〈〉,〈〉〉6: let command:= 〈FORM,url′,POST,π2(id),⊥〉7: else8: let url′ := 〈URL,S,url.host,/passwordLogin,〈〉,〈〉〉9: let secretsuch thatsecret= secretOfID(id)∧secret∈ secretsif possible; otherwise

→֒ stop 〈s,cookies, localStorage,sessionStorage,〈〉〉10: let command:= 〈FORM,url′,POST,〈id,secret〉,⊥〉11: end if12: stop 〈s,cookies, localStorage,sessionStorage,command〉

Algorithm 10 Relation ofscript_rp_implicit

Input: 〈tree, docnonce, scriptstate, scriptinputs, cookies, localStorage, sessionStorage, ids, secrets〉1: let url := GETURL(tree,docnonce)2: let url′ := 〈URL,S,url.host,/receiveTokenFromImplicitGrant,〈〉,〈〉〉3: let body:= 〈url.fragment[access_token],url.fragment[state],scriptstate〉4: let command:= 〈FORM,url′,POST,body,⊥〉5: stop 〈s,cookies, localStorage,sessionStorage,command〉

E.10. Identity Providers

An identity provideri ∈ IdPs is a web server modeled as an atomic process(I i ,Zi,Ri,si0) with the ad-

dressesI i := addr(i). Its initial statesi0 contains a list of its domains and (private) SSL keys, the paths

for the endpoints (authorization and token), a list of users, a list of clients, and information about thecorruption status (initially, the IdP is not corrupted). Besides this, the full state ofi further contains a listof issued authorization codes and access tokens.

Once the IdP becomes corrupted (when it receives the messagecorrupt), it starts collecting all inputmessages and non-deterministically sending out whatever messages are derivable from its state.

Otherwise, IdPs react to three types of requests:Requests to the authorization endpoint path:In this case, the IdP expects a POST request contain-

ing valid user credentials. If the user credentials are not supplied, or the request is not a POST request,the answer contains a script which shows a form to the user to enter her user credentials. In our model,the script just extracts the user credentials from the browser and sends a request to the IdP containing the

62

user credentials and any OAuth parameters contained in the original request (e.g., the intended redirectURI).

If the IdP received a POST request with valid user credentials, it checks the contained client identifieragainst its own list of clients. If the client identifier is unknown, the IdP aborts. Otherwise, it ensuresthat the redirect URI, if contained in the request, is valid.For this, it checks the list of redirect URIsstored along with the client identifier. If none of the redirect URIs match the redirect URI presented inthe request (see “Matching Redirect URIs” below), the IdP aborts. If no redirect URI is provided in therequest, the first URI in the list of redirect URIs is chosen asthe redirect URI.

Now the IdP creates a new authorization code and saves this code together with the client identifierand the redirect URI (if provided in the request) to the list of authorization codes.

Now, if the response type parameter in the request is “code”,the IdP issues a Location redirect headerto the redirect URI, appending (as parameters) the newly created authorization code and the state (ifprovided in the request).

If the reponse type is “token”, the IdP redirects the browserto the redirect URI, but appends theauthorization code, the state (if provided) and a fixed string (containing the token type, which is “bearer”)to the hash of the redirect URI.

Requests to the token endpoint path:Requests to the token endpoint path are only accepted by theIdP if they are POST requests. The IdP then checks that the request either contains a valid client ID,provided as a parameter, or a pair of client ID and client password in a basic authentication header.

If the grant type parameter isauthorization code, then the IdP checks that the authorization codedelivered to it is contained in the list of codes. It checks that the client ID and redirect URI are the sameas those stored in the list of codes. It then creates an accesstoken and returns it in the HTTPS response(with token type “bearer”).

If the grant type ispassword, the IdP checks the provided username and password and creates anaccess token as above.

If the grant type isclient credentials, the IdP checks that the client was authorized with client IDandclient password above. If so, it creates an access token as above.

Requests to the inspection endpoint path:In this case, the IdP expects an access token in theparameters of the request. If the access token is valid, the IdP returns the client and user id for which theaccess token was issued along with the protected resource for this client, user, and IdP.

Formal description. In the following, we will first define the (initial) state ofi formally and afterwardspresent the definition of the relationRi.

To define the initial state, we will need to add a list of all protected resources that this IdP manages.We therefore definesrlisti := 〈{resourceOf(i,c,u) |c ∈ RP,u ∈ ID}〉 for some IdPi. (Note that we donot use this term for term manipulations in the algorithm. Instead, this term ensures that the output ofthe atomic process is derivable from the input.)

Definition 43. A state s∈ Zi of an IdP i is a term of the form〈sslkeys, srlist, authEndpoint,tokenEndpoint, inspectEndpoint, clients, codes, corrupt〉 where sslkeys= sslkeysi , srlist = srlisti,authEndpoint, tokenEndpoint, inspectEndpoint∈ S, clients∈

[S×TN

], codes∈ TN , atokens∈ [N ×S].

An initial state si0 of i is a state of the form〈sslkeysi ,srlisti,w,x,y,clientsi,〈〉,〈〉,⊥〉 for somestrings w, x and y and a dictionaryclientsi that for each relying partyr contains an entry of theform 〈clientIDOfRP(r, i),z〉 where z is a sequence of URL terms that may contain the wildcard∗(see Definition4) where for everyu ∈〈〉 z we have thatu.protocol ≡ S, u.host ∈ dom(r) andu.parameters[idp]≡ d for somed ∈ dom(i).

The relationRi that defines the behavior of the IdPi is defined as follows:

Algorithm 11 Relation of IdPRi

63

Input: 〈a, f ,m〉,s1: if s′.corrupt 6≡ ⊥∨m≡ CORRUPT then2: let s′.corrupt := 〈〈a, f ,m〉,s′.corrupt〉3: let m′ ← dV(s′)4: let a′← IPs

5: stop 〈〈a′,a,m′〉〉, s′

6: end if7: let s′ := s8: let mdec, k, k′, inDomainsuch that→֒ 〈mdec,k〉 ≡ deca(m,k′)∧〈inDomain,k′〉 ∈ s.sslkeys→֒ if possible; otherwise stop〈〉, s

9: let n, method, path, parameters, headers, bodysuch that→֒ 〈HTTPReq,n,method, inDomain,path,parameters,headers,body〉 ≡mdec

→֒ if possible; otherwise stop〈〉, s10: if path≡ s.authEndpoint then ⊲ Authorization Endpoint.11: if method≡ GET∨ (method≡ POST∧ (body[username]≡ 〈〉∨body[password]≡ 〈〉)) then12: let data:= parameters13: let m′ := encs(〈HTTPResp,n,200,〈〉,〈script_idp_form,data〉〉,k)14: stop 〈〈 f ,a,m′〉〉, s′

15: else ifmethod≡ POST then16: if headers[Origin] 6≡ 〈inDomain,S〉 then ⊲ CSRF protection.17: stop 〈〉, s18: end if19: let username:= body[username]20: let password:= body[password]21: let clientid := body[client_id]22: let allowedredirects:= s.clients[clientid]23: if password6≡ secretOfID(username) then24: stop 〈〉, s25: end if26: if allowedredirects≡ 〈〉 then27: stop 〈〉, s28: end if29: let redirecturi := body[redirect_uri]30: if redirecturi 6≡ 〈〉 then31: if not redirecturi∼̇allowedredirectsthen32: stop 〈〉, s33: end if34: else35: let redirecturi← allowedredirects ⊲ Take one from list of redir URIs.36: end if37: if body[response_type]≡ code then38: let s′.codes := s′.codes+〈〉〈ν1,〈clientid,body[redirect_uri],username〉〉 ⊲ Create

authorization code.39: let redirecturi.parameters := redirecturi.parameters+〈〉〈code,ν1〉40: let redirecturi.parameters := redirecturi.parameters+〈〉〈state,body[state]〉41: let m′ := encs(〈HTTPResp,n,303,〈〈Location, redirecturi〉〉,〈〉〉,k)42: stop 〈〈 f ,a,m′〉〉, s′

43: else ⊲ Assume response type token.44: let s′.atokens := s′.atokens+〈〉〈ν1,clientid,username〉45: let redirecturi.fragment := redirecturi.fragment+〈〉〈access_token,ν1〉46: let redirecturi.fragment := redirecturi.fragment+〈〉〈token_type,bearer〉47: let redirecturi.fragment := redirecturi.fragment+〈〉〈state,body[state]〉48: let m′ := encs(〈HTTPResp,n,303,〈〈Location, redirecturi〉〉,〈〉〉,k)

64

49: stop 〈〈 f ,a,m′〉〉, s′

50: end if51: end if52: else ifpath≡ s.tokenEndpoint then ⊲ Token Endpoint.53: if method6≡ POST then54: stop 〈〉, s55: end if56: let auth:= ⊥57: let clientid := ⊥58: if body[client_id] 6≡ 〈〉 then ⊲ Only client ID is provided, no password.59: let clientid := body[client_id]60: let clientinfo:= s.clients[clientid]61: if clientinfo≡ 〈〉∨ secretOfClientID(clientid, i) 6≡ ⊥ then ⊲ Empty client secret allowed?62: stop 〈〉, s63: end if64: else ifheaders[Authorization].1 6≡ 〈〉 then65: let clientid := headers[Authorization].166: let clientpw:= headers[Authorization].267: if secretOfClientID(clientid, i) 6≡ clientpw∨clientpw≡⊥ then68: stop 〈〉, s69: end if70: let auth:= clientid ⊲ Authentication with client credentials.71: end if72: if body[grant_type]≡ authorization_code then73: if clientid≡⊥ then74: stop 〈〉, s75: end if76: let codeinfo:= s.codes[body[code]]77: if codeinfo≡ 〈〉∨codeinfo.1 6≡ clientid∨codeinfo.2 6≡ body[redirect_uri] then78: stop 〈〉, s79: end if80: let s′.atokens := s′.atokens+〈〉〈ν1,clientid,codeinfo.3〉 ⊲ Add nonce, client ID and user ID to list

of tokens.81: let m′ := encs(〈HTTPResp,n,200,〈〉,〈〈access_token,ν1〉,〈token_type,bearer〉〉〉,k)82: else ifbody[grant_type]≡ password then83: let username:= body[username]84: let password:= body[password]85: if password6≡ secretOfID(username) then86: stop 〈〉, s87: end if88: let s′.atokens := s′.atokens+〈〉〈ν1,clientid,username〉89: let m′ := encs(〈HTTPResp,n,200,〈〉,〈〈access_token,ν1〉,〈token_type,bearer〉〉〉,k)90: else ifbody[grant_type]≡ client_credentials then91: if auth≡⊥ then92: stop 〈〉, s93: end if94: let s′.atokens := s′.atokens+〈〉〈ν1,clientid,⊥〉95: let m′ := encs(〈HTTPResp,n,200,〈〉,〈〈access_token,ν1〉,〈token_type,bearer〉〉〉,k)96: end if97: else ifpath≡ s.inspectEndpoint then ⊲ Inspection Endpoint.98: if method6≡ GET then99: stop 〈〉, s100: end if101: let atoken:= parameters[token]

65

102: let clientid, useridsuch that 〈atoken,clientid,userid〉 ∈〈〉 s′.atokens if possible; otherwise stop〈〉, s103: let secret:= resourceOf(i,clientid,⊥)104: let body′ := 〈〈secret_resource,secret〉,〈client_id,clientid〉,〈user,userid〉〉105: let m′ := encs(〈HTTPResp,n,200,〈〉,body′〉,k)106: end if107: stop 〈〉, s

Algorithm 12 Relation ofscript_idp_form

Input: 〈tree, docnonce, scriptstate, scriptinputs, cookies, localStorage, sessionStorage, ids, secrets〉1: let url := GETURL(tree,docnonce)2: let url.path← S3: let formdata:= scriptstate4: let id← ids5: let secret← secrets6: let formdata:= formdata+〈〉〈username, id〉7: let formdata:= formdata+〈〉〈password,secret〉8: let command:= 〈FORM,url,POST, formdata,⊥〉9: stop 〈s,cookies, localStorage,sessionStorage,command〉

F. Formal Security Properties

The security properties for OAuth are formally defined as follows.

Definition 44 (Authorization Property). Let OWS be an OAuth web system. We say thatOWS issecure w.r.t. authorizationif for every runρ of OWS , every state(Sj ,E j ,N j) in ρ, every IdPi ∈ IDP,every RPr ∈ RP that is honest inSj , everyu∈ ID∪{⊥}, for n= resourceOf(i, r,u), n is derivable fromthe attackers knowledge inSj (i.e.,n∈ d/0(Sj(attacker))), it follows that

1. i is corrupted inSj , or

2. u 6= ⊥ and (i) the browserb owning u is fully corrupted in Sj or (ii) some r ′ ∈trustedRPs(secretOfID(u)) is corrupted inSj .

Definition 45 (Authentication Property). Let OWS be an OAuth web system. We say thatOWS issecure w.r.t. authenticationif for every runρ of OWS , every state(Sj ,E j ,N j) in ρ, everyr ∈ RP that ishonest inSj , everyi ∈ IDP, everyg∈ dom(i), everyu∈ governor−1(i), every RP service token of theform 〈n,〈u,g〉〉 recorded inSj(r).serviceTokens, andn being derivable from the attackers knowledgein Sj (i.e.,n∈ d/0(Sj(attacker))), then the browserb owningu is fully corrupted inSj (i.e., the value ofisCorruptedis FULLCORRUPT), somer ′ ∈ trustedRPs(secretOfID(u)) is corrupted inSj , or i is corruptedin Sj .

G. Proof of Theorem 1

Before we prove Theorem1, we show some general properties of theOWS . We then first prove theauthentication property and then the authorization property.

G.1. Properties of OWS

Let OWS = (W ,S ,script,E0) be a web system. Letρ be a run ofOWS . We writesx = (Sx,Ex,Nx) forthe states inρ.

66

Definition 46. In what follows, given an atomic processp and a messagem, we say thatp emits min arunρ= (s0,s1, . . .) if there is a processing step of the form

su−1−−−→p→E

su

for someu∈ N, a set of eventsE and some addressesx, y with 〈x,y,m〉 ∈ E.

Definition 47. We say that a termt is derivably contained in (a term) t′ for (a set of DY processes) P (ina processing step si→ si+1 of a runρ= (s0,s1, . . .)) if t is derivable fromt ′ with the knowledge availableto P, i.e.,

t ∈ d/0({t′}∪

⋃

p∈P

Si+1(p))

Definition 48. We say thata set of processes P leaks a term t (in a processing step si→ si+1) to a set ofprocesses P′ if there exists a messagem that is emitted (insi → si+1) by somep∈ P andt is derivablycontained inm for P′ in the processing stepsi→ si+1. If we omit P′, we defineP′ := W \P. If P is a setwith a single element, we omit the set notation.

Definition 49. We say that an DY processp createda messagem (at some point) in a run ifm is deriv-ably contained in a message emitted byp in some processing step and if there is no earlier processingstep wherem is derivably contained in a message emitted by some DY process p′.

Definition 50. We say thata browser b accepteda message (as a response to some request) if the brow-ser decrypted the message (if it was an HTTPS message) and called the functionPROCESSRESPONSE,passing the message and the request (see Algorithm6).

Definition 51. We say that an atomic DY processp knows a term tin some states= (S,E,N) of a runif it can derive the term from its knowledge, i.e.,t ∈ d/0(S(p)).

Definition 52. We say that ascript initiated a request rif a browser triggered the script (in Line10of Algorithm 5) and the first component of thecommandoutput of the script relation is eitherHREF,IFRAME, FORM, or XMLHTTPREQUEST such that the browser issues the requestr in the same step as aresult.

The following lemma captures properties of RP when it uses HTTPS. For example, the lemma saysthat other parties cannot decrypt messages encrypted by RP.

Lemma 1 (RP messages are protected by HTTPS).If in the processing stepsi → si+1 of a runρ ofOWS an honest relying partyr (I) emits an HTTPS request of the form

m= enca(〈req,k〉,pub(k′))

(wherereq is an HTTP request,k is a nonce (symmetric key), andk′ is the private key of some other DYprocessu), and (II) in the initial states0 the private keyk′ is only known tou, and (III) u never leaksk′,then all of the following statements are true:

1. There is no state ofOWS where any party except foru knowsk′, thus no one except foru candecryptreq.

2. If there is a processing stepsj → sj+1 where the RPr leaksk to W \{u, r} there is a processingstepsh→ sh+1 with h< j whereu leaks the symmetric keyk to W \{u, r} or r is corrupted insj .

67

3. The value of the host header inreq is the domain that is assigned the public keypub(k′) in RP’skeymappings0.keyMapping (in its initial state).

4. If r accepts a response (say,m′) to m in a processing stepsj → sj+1 and r is honest insj andudid not leak the symmetric keyk to W \{u, r} prior to sj , then eitheru or r created the HTTPSresponsem′ to the HTTPS requestm, in particular, the nonce of the HTTP requestreq is not knownto any atomic processp, except for the atomic DY processesr andu.

PROOF. (1) follows immediately from the condition. Ifk′ is initially only known tou andu never leaksk′, i.e., even with the knowledge of all nonces (except for those of u), k′ can never be derived from anynetwork output ofu, k′ cannot be known to any other party. Thus, nobody except foru can derivereqfrom m.

(2) We assume thatr leaksk to W \{u, r} in the processing stepsj → sj+1 without u prior leakingthe keyk to anyone except foru and r and that the RP is not fully corrupted insj , and lead this to acontradiction.

The RP is honest insi. From the definition of the RP, we see that the keyk is always a fresh nonce thatis not used anywhere else. Further, the key is stored inpendingRequests(ν4 in Lines47f. of Algorithm 8).The information frompendingRequestsis not extracted or used anywhere else, except when handlingthe received messages, where the key is only checked againstand used to decrypt the message (Lines7ff.of Algorithm 8). Hence,r does not leakk to any other party insj (except foru andr). This proves (2).

(3) Per the definition of RPs (Algorithm8), a host header is always contained in HTTP requests byRPs. From Line48 of Algorithm 8 we can see that the encryption key for the requestreq was chosenusing the host header of the message. It is chosen from thekeyMappingin RP’s state, which is neverchanged duringρ. This proves (3).

(4) An HTTPS responsem′ that is accepted byr as a response tom has to be encrypted withk. Thenoncek is stored by the RP in thependingRequestsstate information (see Line47 of Algorithm 8). TheRP only stores freshly chosen nonces there (i.e., the noncesare not used twice, or for other purposes thansending one specific request). The information cannot be altered afterwards (only deleted) and cannotbe read except when the RP checks incoming messages. The nonce k is only known tou (which did notleak it to any other party prior tosj ) andr (which did not leak it either, asu did not leak it andr is honest,see (2)). This proves (4). �

On a high level, the following lemma shows that the contents in the list of pending HTTP requests areimmutable.

Lemma 2 (Pending DNS messages become pending requests).Let r be some honest relying party inOWS , ν ∈ N , l > 0 such that(Sl ,El ,Nl) is a state inρ, and letref ∈ TN , req∈ HTTPRequests suchthatSl (r).pendingDNS≡ Sl−1(r).pendingDNS+〈〉〈ν,〈ref , req〉〉. Then we have that∀l ′: if there existref ′, req′, x, y∈ TN with req.nonce≡ req′.nonce and〈ref ′, req′,x,y〉 ∈〈〉 Sl ′(r).pendingRequests thenreq≡ req′∧ ref ≡ ref ′.

PROOF. We first note that Algorithm8 (of relying parties) modifies the subtermpendingDNSof the RP’sstate only in such a way that entries are appended to or removed from this subterm, but never modified.Entries are appended in Lines23, 60, 116, 134, and146. At all these places in the algorithm, an HTTPmessage term, sayreq, having a fresh (HTTP) nonce, is appended (together with some termref) to thesubtermpendingDNS. (A processing step executing one of these parts of the algorithm results in thestate(Sl ,El ,Nl) of ρ.) Entries are only removed in Line49. In this part of the algorithm, a sequence〈ref ′′, req′′,x,y〉 with x, y ∈ TN and req′′ ≡ req and ref ′′ ≡ ref (which could not have been altered inany processing step) are appended to the subtermpendingRequestsof RP’s state (in Line47). Besides

68

Line 12, where some entry is removed from this subterm, there is no other part of the algorithm thatalterspendingRequestsin any way. Hence, there we cannot have any state(Sl ′ ,El ′ ,Nl ′) of ρ where wehave an request inpendingRequestswith the same (HTTP) nonce but a differentreq′ or a differentref ′.�

Lemma 3 (RPs never send requests to themselves).An honest RP never sends an HTTP request toany RP (including itself), and only sends HTTPS requests to RPs that the receiving RP cannot decrypt.

PROOF. Honest RPs send HTTP requests only in Lines22, 59, 115, 133, and145. In all of these cases,they send the HTTPS request to an endpoint configured in the state (inidps). With Definition 42, itfollows that the domains to which these requests are sent, are never a domain of an RP. All requests aresent over HTTPS, and the “correct” encryption keys (as stored in keyMapping) are used (i.e., even if theattacker changes the DNS response such that an HTTPS requestis sent to an RP, it cannot be decryptedby the RP). �

G.2. Proof of Authentication

We here want to show that every OAuth web system is secure w.r.t. authentication, and therefore assumethat there exists an OAuth web system that is not secure w.r.t. authentication. We then lead this to acontradiction, thereby showing that all OAuth web systems are secure w.r.t. authentication. In detail, weassume:

Assumption 1. There exists an OAuth web systemOWS , a runρ of OWS , a state(Sj ,E j ,N j) in ρ, somer ∈ RP that is honest inSj , somei ∈ IDP that is honest inSj , someg∈ dom(i), someu∈ governor−1(i)with the browserb owning u being not fully corrupted inSj and all r ′ ∈ trustedRPs(secretOfID(u))being honest, some RP service token of the form〈n,〈u,g〉〉 recorded inSj(r).serviceTokens such thatn is derivable from the attackers knowledge inSj (i.e.,n∈ d/0(Sj(attacker))).

To show that this is a contradiction, we first show some lemmas:

Lemma 4 (Attacker does not learn passwords).There exists nol ≤ j, (Sl ,El ,Nl) being a state inρsuch thatsecretOfID(u) ∈ d/0(Sl (attacker)).

PROOF. Let s := secretOfID(u) and R := trustedRPs(s). Initially, in S0, s is only contained inS0(b).secrets[〈d,S〉] for any d ∈

⋃

r ′∈Rdom(r ′)∪ dom(i) and in no other states (or waiting events).By the definition of the browser, we can see that only scripts loaded from the origins〈d,S〉 can accesss.We know thati and allr ′ ∈ R are honest (from the assumption). We therefore have that only the scriptsscript_rp_index, script_rp_implicit, andscript_idp_form can accesss (if loaded from their respectiveorigins) and that the browser does not use or leaks in any other way.script_rp_implicit does not useany browser secrets. We therefore focus on the remaining twoscripts:

script_rp_index. If this script was loaded and has access tos, it must have been loaded from origin〈d,S〉 for a domaind of some trusted relying party, sayt (∈ R). If script_rp_indexselects thesecrets in Line 9 of Algorithm 9, we know that it must have selected the idu in Line 2. Wetherefore know that in Line10, the browserb is instructed to send (using HTTPS)〈u,s〉 to thepath/passwordLogin at d. If b sends such a request,t is the only party able to decrypt thisrequest (see the general security properties in [9]). This message is then processed byt accordingto Lines123ff. There, username and password are forwarded to some IdP, say i′, using an HTTPSPOST request. More precisely, this request is sent to the domain of the token endpoint URLcontained in the IdP registration record for the domain contained inu. From Definitions41and42and the fact that this part of the state (of relying parties) is never changed, we can see that the

69

request is sent to a domain ofi, and thereforei′ = i. (The attacker can also not modify or read thisrequest, see Lemma1.) The body of the HTTPS POST request sent toi is of the following form:

〈〈grant_type,password〉,〈username,u〉,〈password,s〉〉 .

Such a request can processed by IdP only in Lines82ff. of Algorithm 11. There, IdP checkssanddiscards it. Therefore,sdoes not leak fromi, t, or b to the attacker (or any other party).

script_idp_form. If this script was loaded and has access tos, it must have been loaded from origin〈d,S〉 for a domaind of i. This script sendss to d in an HTTPS POST request. Ifb sends such arequest,i is the only party able to decrypt this request (see the general security properties in [9]).This message is then processed byi according to Lines15ff. of Algorithm 11. There, the IdPicheckssand discards it. Therefore,sdoes not leak fromi or b to the attacker (or any other party).

This proves Lemma4.

Lemma 5 (Attacker does not learn authorization codes).There exists nol ≤ j, (Sl ,El ,Nl ) being astate inρ, v∈N , y∈ TN such thatv∈ d/0(Sl (attacker)) and〈v,〈clientIDOfRP(r, i),y,u〉〉 ∈〈〉 Sl (i).codes.

PROOF. Sl (i).codes is initially empty and appended to only in Line38 of Algorithm 11 (where anauthorization code is created). From Line15ff. it is easy to see that the request which triggers thecreation of the authorization code must carry a valid password for the specific identity in the requestbody. With Lemma4, we can see that such a request can not come from the attacker,as the attackerdoes not know the password needed in the request. It can also not originate from an IdP, as IdPs do notsend requests. Further, the request can not originate from any corrupted party or an attacker-controlledorigin in the honest browser (as otherwise there would be a flow where the attacker would learn thepassword by sending it to himself, which can be ruled out by Lemma4). It is also impossible that therequest originated from any non-attacker controlled origin in the honest browser: Such a request could becaused by either a Location redirect or a script. (We will refer to the following as *.) A Location redirectmust have been issued by an honest party (otherwise, the attacker would have learned the password bythe time he issued the response, see Lemma4). There are two occasions where honest parties issueLocation redirect headers:

IdP in Lines 41/48 of Algorithm 11 In this case, an HTTP status code of 303 is sent. While thiscauses the browser to do a new request, the new request has an empty body in any case.26

RP in Line 89 of Algorithm 8 In this case, a 307 redirect could be issued, causing the browser topreserve the request body. We therefore have to check what could have caused the browserto issue a request that caused this Location redirect response, and what body could be con-tained in such a request. For clarity, we call the request causing the redirectionm. It is clearthat m cannot come from the attacker (as it contains the password).It must therefore comefrom an honest browser. If it was caused by a redirect in the honest browser, (*) applies recur-sively. Otherwise, there are three scripts that could send such a request to RP:script_rp_index,script_rp_implicit, and script_idp_form. Of these, onlyscript_rp_index causes a request forthe path/startInteractiveLogin (which triggers the redirection in Line89 of Algorithm 8),which, however, does not contain any secret.

26Note that at this point it is important that a 303 redirect is performed, not a 307 redirect. See Line29 of Algorithm 6 fordetails.

70

A Location redirect can therefore be ruled out as the cause ofthe request. There are three scripts thatcould send such a request:script_rp_index, script_rp_implicit, and script_idp_form. The first two,script_rp_index, script_rp_implicit, do not send requests to any IdP (instead, they only send requests tothe RP that sent the scripts to the browser, IdP does not send these scripts to the browser). The latterscript, script_idp_form, can send the request. In this (last remaining) case, the IdPresponds with aLocation redirect header in the response, which, among others, carries a URL containing the criticalvaluev (in Line 41). In this case, the browser receives the response, and immediately triggers a newrequest to the redirection URL. This URL was composed by the IdP using the list of valid redirectionURIs from Sl (i).clients, a part of the state ofi that is not changed during any run. Definition43defines howSl (i).clients is initialized: For the client idc := clientIDOfRP(r, i), all redirection URLscarry hosts (domains) ofr, have the protocolS (HTTPS), and contain a query parameter componentidentifying the IdPi. In the checks in Lines22ff., it is ensured that in any case, this restriction ondomain and protocol applies to the resulting redirection URI (calledredirecturi in the algorithm) as well.Therefore, the browser’s GET request which is triggered by the Location header and contains the valuev is sent tor over HTTPS.

The RPr can process such a GET request only in Lines65 and91 of Algorithm 8. It is clear, thatin Line 65, the valuev does not leak to the attacker: An honest script is loaded intothe browser, whichdoes not usev in any form.

In Lines91ff., v is forwarded to the IdP for checking its validity and retrieving the access token (thereis also code for retrieving the access code from the implicitflow in this part of the code, which is notof interest here). When sending the authorization code, it is critical to ensure thatv is forwarded to anhonest IdP (in particular,i), and not to the attacker. This is ensured by checking the redirection URLparameters, which, as mentioned above, contain a hint for the IdP in use, in this casei. In Line 94 it ischecked that the IdP, to whichv is eventually sent, isi.

Therefore, we know thatv is sent via POST to the honest IdPi. There, it can only be processedin Lines 52ff. Here, it is easy to see that the valuev (calledbody[code] in the algorithm) is checked.However, the value is never sent out to any other party and therefore does not leak.

We have shown that the valuev cannot be known to the attacker, which proves Lemma5. �

Lemma 6 (Attacker does not learn access tokens).There exists nol ≤ j, (Sl ,El ,Nl) being a state inρ, v∈N , such thatv∈ d/0(Sl (attacker)) and〈v,clientIDOfRP(r, i),u〉 ∈〈〉 Sl (i).atokens.

PROOF. Initially, we haveS0(i).atokens ≡ 〈〉. Sl (i).atokens is appended to only in Lines44, 80, 88,and94 (where in each an access token is issued) of Algorithm11 and not altered in any other way.

In Line 94, a term of the form〈∗,∗,⊥〉 is appended, which is not of the form〈v,clientIDOfRP(r, i),u〉.In what follows, we will distinguish between the lines of Algorithm 11were〈v,clientIDOfRP(r, i),u〉 iscreated:

Line 44. It is easy to see, thati must have received an HTTPS POST request containing an Originheader with one of its HTTPS origins and containing (in its body) a dictionary with the en-tries 〈username,u〉, 〈password,secretOfID(u)〉, and 〈client_id,clientIDOfRP(r, i)〉. FromLemma4 it follows that such a request cannot be assembled by the attacker. Also, neither anIdP nor an RP sends such a request. Hence, this request must have be sent from a browser.In the browser, only the scriptsscript_idp_form and the attacker scriptRatt can instruct thebrowser to send such a request. From Lemma4 we know that the attacker script cannot ac-cesssecretOfID(u) (otherwise, there would be a runρ′ in which the attacker script would sendsecretOfID(u) to the attacker instead). Hence, this request must originate from a command re-turned byscript_idp_form and it must be created by the browserb (which isownerOfID(u)).This script only sends such a request to its own origin, whichmust be an HTTPS origin (it would

71

not have access tosecretOfID(u) otherwise). The IdP responds with a Location redirect header inthe response, which among others, carries a URL containing the critical valuev (in Line 48) in thefragment of the URL. In this case, the browser receives the response, and immediately triggers anew request to the redirection URL. This URL was composed by the IdP using the list of validredirection URIs fromSl (i).clients, a part of the state ofi that is not changed during any run.Definition 43 defines howSl (i).clients is initialized: For the client idc := clientIDOfRP(r, i),all redirection URLs carry hosts (domains) ofr, have the protocolS (HTTPS), and contain aquery parameter component identifying the IdPi. In the checks in Lines22ff., it is ensured that inany case, this restriction on domain and protocol applies tothe resulting redirection URI (calledredirecturi in the algorithm) as well. Therefore, the browser’s GET request which is triggered bythe Location header and contains the valuev in the fragment, is sent tor over HTTPS.

The RPr can process such a GET request only in Lines65and91 of Algorithm 8. It is clear, thatin Line 65, the valuev does not leak to the attacker: The honest scriptscript_rp_index is loadedinto the browser, which does not usev in any form.

In Lines91ff., RP’s algorithm branches into two different flows: (1) RPtakes some value from theURL parameters (which do not containv) and sends it to some process. RP defers its response tothe browser and will (later) only send out the response in Lines36ff. This response, however, doesnot contain a script and hence, the browser will not be instructed to create any new messages fromthe resulting document. Hence,v does not leak in this case. (2) RP sends an HTTPS responsecontaining the scriptscript_rp_implicit (and, in the script’s initial state, a domain ofi derivedfrom the redirection URL), which takesv from the URL parameters and instructs the browser tosend an HTTPS POST request containingv and the domain ofi to the script’s (secure) origin atpath/receiveTokenFromImplicitGrant. RP processes such a request in Lines136ff. whereit forwardsv to the IdP for checking its validity. Here, it is critical to ensure thatv is forwardedto an honest IdP (in particular,i), and not to the attacker. This is fulfilled since a domain ofi iscontained in the request’s body, and, before forwarding, itis checked thatv is only forwarded tothis domain.

Therefore, we know thatv is sent via GET to the honest IdPi. There, it can only be processed inLines97ff. Here, it is easy to see that the valuev is never sent out to any other party and thereforedoes not leak.

Line 80. In this case,i must have received an HTTPS POST request carrying a dictionary in its bodycontaining the entries〈grant_type,authorization_code〉 and 〈code,code〉 with code∈ N

such that〈code,〈clientIDOfRP(r, i),y,u〉〉 ∈〈〉 Sl ′(i).codes for somey ∈ TN and l ′ ≤ l . FromLemma5 it follows that such a request can neither be constructed by the attacker nor by a browserinstructed by the attacker scriptRatt. In a browser, the remaining honest scripts do not instruct thebrowser to send such a request. (Honest) IdPs do not send suchrequests. Hence, such a requestmust have been constructed by an (honest) RP. An RP prepares such a request only in Lines103ff.(of Algorithm 8) and finally sends out this request in Line50 (after a DNS response). WithLemma2 and Lemma1 we know thatreferencecontains a term of the form〈code, idp,∗,∗,∗,∗〉with idp∈ dom(i) (as the request was sent encrypted for and toi). When RP receives the responsefrom i, RP processes this response in Lines7ff. where RP distinguishes between two cases basedon the first subterm inreference. As we know that this subterm iscode, we have that the responseis processed only in Lines15ff. RP takes a subterm from the response’s body which might con-tain27 v in Line 16 and prepares an HTTPS POST request to an URL ofi (which is taken fromthe subtermidpsof RP’s state and this subterm is never altered and initiallyconfigured such that

27The subterm actually isv.

72

the URLs under the dictionary keyidp are actually belonging toi). This HTTPS POST requestcontainsv in the parametertoken. This request is finally sent out this request in Line50 (after aDNS response) encrypted for and toi.

It is now easy to see thati only accepts the request only in Lines97ff. (of Algorithm 11). There,the IdP only checks the parametertoken against its state and discards it afterwards. Hence,vdoes not leak.

Line 88. In this case,i must have received an HTTPS POST request carrying a dictionary in its bodycontaining the entries〈grant_type,password〉, 〈username,u〉, and〈password,secretOfID(u)〉.From Lemma4 it follows that such a request cannot be constructed by the attacker, dishonestscripts in browsers, or any other dishonest party. (Honest)IdPs do not construct such a request.All honest scripts do not instruct a browser to send such a request. Hence, the request musthave been constructed by an honest RP. An RP prepares such a request only in Lines126ff. (ofAlgorithm 8) and finally sends out this request in Line50 (after a DNS response). With Lemma2and Lemma1 we know thatreferencecontains a term of the form〈password, idp,∗,∗,∗,∗〉 withidp∈ dom(i) (as the request was sent encrypted for and toi). When RP receives the response fromi, RP processes this response in Lines7ff. where RP distinguishes between two cases based onthe first subterm inreference. As we know that this subterm iscode, we have that the response isprocessed only in Lines15ff. RP takes a subterm from the response’s body which might contain28

v in Line 16 and prepares an HTTPS POST request to an URL ofi (which is taken from thesubtermidps of RP’s state and this subterm is never altered and initiallyconfigured such thatthe URLs under the dictionary keyidp are actually belonging toi). This HTTPS POST requestcontainsv in the parametertoken. This request is finally sent out this request in Line50 (after aDNS response) encrypted for and toi. It is now easy to see thati only accepts the request only inLines97ff. (of Algorithm 11). There, the IdP only checks the parametertoken against its stateand discards it afterwards. Hence,v does not leak.

We have shown that the valuev cannot be known to the attacker, which proves Lemma6. �

We can now show that Assumption1 is a contradiction.

Lemma 7. Assumption1 is a contradiction.

PROOF. The service token〈n,〈u,g〉〉 can only be created and added to the stateSj(r).serviceTokensin Line 36 of Algorithm 8. To get to this point in the algorithm, in Line26, it is checked thatreferenceis a tupel of the form〈inspect,mode,g,a′, f ′,n′,k′〉. This is taken from the pending requests, wherethe value is transferred to from the pending DNS subterm (seeLemma2). Such a term (starting withinspect) is added to thependingDNS subterm only in Lines23 and 146. We can now do a casedistinction between these two possibilities to identify the requestm′ to which the response containingthe service token will be sent.

Subterm was added in Line 23. In this case, in Line15, an entry of the form〈mode,g,a′, f ′,n′,k′〉must have existed as a reference in the pending HTTP requests, wheremodeis eithercode orpassword.29 Such entries are created in the following lines:

Line 116. Here, a requestm′must have been received which contained a valid authorization codefor the identityu at the IdPi.30 The attacker cannot know such an authorization code (see

28The subterm actually isv.29If modewasclient_credentials, no service token is created.30Otherwise, the IdP would not have returned an access token for the identityu. As g = idp is the value stored in the

reference, it is also clear that the authorization code was,in fact, sent toi for retrieving the access token, and not to the attackeror another identity provider. Also, the request toi was sent over HTTPS, and therefore, Lemma1 applies.

73

Lemma5). The RPr does not send requests to itself or to other RPs (see Lemma3), and noIdPs send requests. Therefore,m′ must have originated from an honest browser.

Line 134. In this case, a requestm′ was received which contained a valid username and passwordcombination foru at i. (As above, we know thati was used to verify that information asg isa domain ofi, andidp= g. ) Only the honest browserb and some relying parties know thispassword (see Lemma4), but the RPs would not send such a request. The requestm′ wastherefore sent from the browserb.

Subterm was added in Line 146. If the subterm〈inspect,mode,g,a′, f ′,n′,k′〉 was added in thisline, the request causing this (m′) must have carried a valid access token for the identityu at i. (Asabove, the access token was sent toi for validation.) The attacker does not know such an accesstoken (see Lemma6), and other RPs or IdPs cannot sendm′. Therefore, an honest browser musthave sentm′.

We therefore have that in all cases,m′ was sent by an honest browser. Further,m′ must have been anHTTPS request (by the definition of RPs). If the request was sent as the result of an XMLHTTPRequestcommand from a script, that script must have been loaded fromthe origin〈gr ,S〉 with gr ∈ dom(r). Thisis a contradiction (there are no honest scripts that use XMLHTTPRequest). Otherwise, it was a “regular”request. In this case, the browser tries to load the service token as a document (which will fail). Inparticular, the service token〈n,〈u,g〉〉 never leaks to the attacker.

We therefore know that the attacker cannot know the service token, which is a contradiction to theassumption. �

G.3. Proof of Authorization

As above, we assume that there exists an OAuth web system thatis not secure w.r.t. authorization andlead this to a contradiction. Note that in the following, some of the lemmas shown above are used.

Assumption 2. There exists a runρ of OWS , a state(Sj ,E j ,N j) in ρ, some IdPi ∈ IDP that is honestin Sj , some RPr ∈ RP that is honest inSj , someu ∈ ID∪{⊥}, somen = resourceOf(i, r,u), n beingderivable from the attackers knowledge inSj (i.e.,n∈ d/0(Sj(attacker))), andu=⊥ or ((i) the browserb owningu is not fully corrupted inSj and (ii) all r ′ ∈ trustedRPs(secretOfID(u)) are honestSj ).

Lemma 8 (Attacker does not learn RP secrets.).There exists nol ≤ j, (Sl ,El ,Nl) being a state inρsuch thatsecretOfRP(r, i) ∈ d/0(Sl (attacker)) unlesssecretOfRP(r, i)≡⊥.

PROOF. Following the definition of the initial states of all atomicprocesses (in particular Definition42),initially, secretOfRP(r, i) is only known tor.

The secret is being used and sent out in an HTTPS message in Lines52ff. of Algorithm 8 The messageis being sent to the token endpoint configured fori, which, according to Definition41, bears a host namebelonging toi. With the definition ofsslkeysin Definition 42 and Lemma1 it can be seen that thisoutgoing HTTP POST request can therefore only be read by the intended receiver,i.

In i, the message cannot be processed in the authentication endpoint, Lines15 to 51 of Algorithm 11,since it does not carry an Origin header. It can be processed in Lines52 to 96. It is easy to see that thesecret in the message is not used in any outgoing message, neither stored in the IdP’s data structures.The message not be processed in Line97ff., since it is a POST request.

The same applies when the client sends the password in Line107ff. or Line 127ff. of Algorithm 8.Therefore, the secretsecretOfRP(r, i) cannot be known to the attacker. �

Lemma 9. Assumption2 is a contradiction.

74

PROOF. At the beginning of each run, the attacker cannot known (as defined in the initial states). Onlythe IdPi can send out the protected resourcen, in Line 105of Algorithm 11. In a state(Sl ′ ,El ′ ,Nl ′) inρ for somel ′ < j, for i to send outn, an HTTPS request must be received byi which contains, amongothers, an access tokena such that〈a,clientIDOfRP(r, i),u〉 ∈〈〉 Sl ′(i).atokens. We therefore note thatfor the attacker to learnn, it has to knowa. We also note that ifr requestsn at the IdPi, the attackercannot readn or a from such messages (see Lemma1).

We now have to distinguish two cases:

Anonymous Resource, i.e., u≡ ⊥. In this case, the access tokena was chosen byi in Line 94 ofAlgorithm 11. There,a is sent out in response to a request that must have contained the clientcredentials forr, where the client secret cannot be⊥ (see Line64. With Lemma8 we see that theattacker cannot send such a request, and therefore, cannot learna. This implies that the attackercannot send the request to learnn from i.

User Resource, i.e.,u 6≡ ⊥. In this Case, Lemma6 shows that it is not possible for the attacker to senda request to learnn.

With this, we have shown that the attacker cannot learnn, and therfore, Assumption2 is a contradica-tion. �

75