Below you will find pages that utilize the taxonomy term “OpenID Connect”
Real-life OIDC Security (VII): Responsible Disclosure
This is the final post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, Responsible Disclosure processes with five vendors and maintainers of popular OpenID Connect implementations are outlined. We reported vulnerabilities and security issues in Amazon Cognito, Bitbucket Server, GitLab, Keycloak, and Salesforce.
Real-life OIDC Security (VI): Reusable state leads to DoS Amplification
This is the sixth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the missing requirement of the state
value within the OpenID Connect Core specification leads to real-life security issues. Namely, the Denial-of-Service Amplification attack is introduced with CVE-2020-14302 (Keycloak) as an example.
Real-life OIDC Security (V): Redirect URI
This is the fifth post of a series on Single Sign-On and OpenID Connect 1.0 security. This post outlines how the vague specification of the Redirect URI within the OpenID Connect Core specification leads to real-life security issues. Finally, we show a real-world example of such an issue with CVE-2020-10776 (Keycloak) as an example.
Real-life OIDC Security (IV): Server-Side-Request-Forgery
This is the fourth post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, SSRF vulnerabilities that were discovered in popular OIDC implementations (Keycloak (CVE-2020-10770) and Amazon Cognito) are explained in detail.
Real-life OIDC Security (III): CRLF Injections
This is the third post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, a more common CRLF injection in the context of OIDC is discussed in detail. We present issues discovered in GitLab (Severity: High - Critical) and Bitbucket Server (Severity: Informative - Low).
Real-life OIDC Security (II): Login Confusion
This is the second post of a series on Single Sign-On and OpenID Connect 1.0 security. In this post, the novel Login Confusion attack is described in detail. We use Bitbucket Server as an example.
CVE-2020-13294
The following (slightly modified) advisory was sent to GitLab using Hackerone on 19th June 2020.
Real-life OIDC Security (I): Overview
This is the first post of a series on Single Sign-On and OpenID Connect 1.0 security. This post presents a high-level overview of observed issue patterns during my research on real-life OIDC security and proposes additions to the specification’s security considerations.