Felisberto Hernández y el discurso del desencanto

During the emergency meeting, we proposed a workshop series to provide a forum for the exchange and cooperation between researchers, industry experts and standardization groups in the area of OAuth security. The idea was well received and so we hosted the first OAuth Security Workshop (OSW) at our university in July 2016. Since then, the workshop has been held annually and continues to foster the exchange in the areas of web authentication, authorization, and privacy. We continue to present and discuss our work at this workshop series.

We also joined the IETF OAuth Working Group to develop a new RFC codifying updated security recommendations for OAuth and OpenID Connect based on our findings [Lod+18]. This RFC contains advice on all attacks presented in this work and discusses potential mitigations. It is designed as a Best Current Practice (BCP) document that, in contrast to regular RFCs like [RFC6819], can be updated in the future.

6. Conclusion and Future Work

In this thesis, we have presented two important contributions to the area of web security: First, the most detailed and comprehensive formal model for the web infrastructure to date, and second, a detailed and precise security analysis of the widely used SSO standards OAuth and OpenID Connect, revealing previously unknown attacks.

Our Web Infrastructure Model captures many important features of the web with an unrivaled level of precision. The model is suitable for the analysis of a very wide range of web applications and standards, and with the WebRTC and WebSockets extensions, it supports even more web APIs than in the original publications. Nonetheless, some web features are not currently represented in the model and, since the web is developing at a high pace, there will always be room for elaborating on the model. For example, it could be extended to support complex Cross-Origin Resource Sharing requests, or upcoming technologies such as HTTP Token Binding [Pop+18] or the Web Authentication API [Bal+18].

As we have seen in our case studies, our analyses capitalize on the high level of detail of our pencil-and-paper model. As discussed earlier, achieving a similar level of detail in tools for automated proofs can be challenging. A mechanization of the web model, however, is certainly desirable: encoding the web model in a programming language and using tools to assist in creating and verifying proofs could enable an easier reuse of existing proofs and models, and it could help make formal methods more accessible to developers of applications and protocols. Such an approach could also facilitate the (automated) translation of real-world-applications into accurate models and vice-versa.

Using the Web Infrastructure Model as the foundation, we carried out the first extensive formal security analyses of the OAuth 2.0 and OpenID Connect standards. The detailed models created to this end comprise all grant types (flows) of OAuth and OIDC and take into account a large range of available options, the OpenID Connect Discovery and Dynamic Registration extensions, as well as corrupted browsers, clients, and OAPs/OPs.

Demonstrating the usefulness of our manual approach, our in-depth analyses revealed five previously unknown attacks on OAuth and OpenID Connect. The attacks break authorization, authentication, and session integrity in realistic settings. We verified all attacks on real-world implementations, proposed fixes, and joined the OAuth Working Group to codify the mitigations into official standards.

We showed that both, OAuth and OpenID Connect, can in fact be operated securely: With our mitigations in place and under assumptions that can be met in real-world deployments, we proved authentication, authorization and session integrity properties for both standards. Our

assumptions are documented in detail and can serve as guidelines for the secure implementation and usage of OAuth and OIDC. The fact that OAuth and OIDC are two of the most widely deployed authorization and authentication systems in the web and the basis for other protocols makes our findings particularly relevant.

Our definitions and proofs for OAuth and OIDC are excellent starting points for the thorough security analysis of technologies related to OAuth such as PKCE, OAuth Token Binding, and OAuth MTLS. PKCE (Proof Key for Code Exchange, [RFC7636]) was developed to protect OAuth even if an attacker can observe the authorization code, as possible on mobile operating systems. OAuth Token Binding [Jon+] limits access tokens, authorization codes, and refresh tokens to specific TLS connections. MTLS (mutual TLS, [Cam+18]) can be used for client authentication and to bind access tokens to client certificates. All of these techniques can and should be evaluated in our model.

In this work we have demonstrated that challenging security problems in the web can be tackled using formal models and rigorous proofs. With our accurate model and the case studies, we have laid a solid foundation for a more formal treatment of web security. Our hope is that our work will lead to formal methods being used more frequently and at an earlier stage in the development of web protocols, standards, and applications, making the web more secure.

A. The Web Infrastructure Model

In this appendix, we present the Web Infrastructure Model as proposed in [FKS14] and extended in [FKS15a; FKS15b;FKS16;FKS17]. The model also includes the WebRTC and WebSocket extensions presented in Section 2.