A survey on OAUTH protocol for security


  • V Srikanth
  • Jupalli Sneha Latha
  • Dinne Ajay Kumar
  • Kakarla Uma Maheswari






OAuth 2.0, Security Vulnerabilities, Authentication.


Web is a dangerous place. For each administration, each API’s, there are clients who might love simply to get through the different layers of security you've raised. It is one of the most powerful open standard authorization protocols available to all API developers today. Most of the popular social network API’s like Google, Twitter and Facebook uses OAuth 2.0 protocol to intensify user experience while sign-ing-on and social sharing. The code written for authorization may be leaked during transmission which then may lead to misuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth protocol. The experimental results on Google API shows that some common attacks like Phishing, Replay and Impersonation may be possible on this protocol.



[1] Feng Yang, Sathiamoorthy Manoharan, “A security analysis of the OAuth protocolâ€, IEEE, available online: https://www.scribd.com/document/267173600/Yang-2013.

[2] Manuel Urueña, Alfonso Muñoz and David Larrabeiti, “Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websitesâ€, Springer, Multimedia Tools and Applications (2014) pp. 159–176, available online: https://earchivo.uc3m.es/bitstream/handle/10016/20008/analysis_MTA_2014_ps.pdf?sequence=1.

[3] Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M. Pai, Sanjay Singh, “Formal Verification of OAuth 2.0 Using Alloy Frameworkâ€, IEEE, available online: http://ieeexplore.ieee.org/document/5966531/.

[4] Chetan Bansal, Karthikeyan Bhargavan and Sergio Maffeis, “Discovering Concrete Attacks on Website Authorization by Formal Analysisâ€, IEEE, available online: http://ieeexplore.ieee.org/document/6266164/.

[5] E. Hammer-Lahav, “The OAuth 1.0 protocolâ€, available online: http://www.rfc-editor.org/info/rfc5849.

[6] J. Richer, W. Mills and H. Tschofenig, “OAuth 2.0 message authentication code (MAC) Tokens,†November (2012), available online: https://tools.ietf.org/pdf/draft-ietf-oauth-v2-http-mac-02.pdf.

[7] Renzo E. Navas, Manuel Lagos and Laurent Toutain, “Nonce-based Authenticated Key Establishment over OAuth 2.0 IoT Proof-of-Possession Architectureâ€, IEEE, available online: http://ieeexplore.ieee.org/document/7845424/.

View Full Article: