IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [openid]

An open Single Sign On (SSO) solution for the web, a problem also addressed by SAML.

95 questions
169
votes
7 answers

Difference Between OAUTH, OpenID and OPENID Connect in very simple term?

I am very confused the difficult jargon available in web about OAUTH, OpenID and OPENID Connect. Can anyone tell me the difference in simple words.
user960567
  • 2,461
  • 4
  • 16
  • 16
53
votes
10 answers

Isn't OAuth, OpenID, Facebook Connect, and others crazy from a security standpoint?

I work with APIs all the time and I work with web developers who insist that OAuth, OpenID, etc are far superior than a home-brew method. Every site seems to be using these as well now for ease of use to the user, but also for security. I hear it…
Oscar Godson
  • 631
  • 5
  • 5
45
votes
5 answers

What are the downsides of BrowserID/Persona compared to OpenID/OAuth/Facebook?

Mozilla went live with a new service called BrowserID/Persona (announcement, background). It is intended to replace current single-sign-on solutions such as OpenID, OAuth and Facebook. One advantage is that a future integration into the browsers…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
44
votes
6 answers

Can someone explain the "Covert Redirect" vulnerability in OAuth and OpenID?

CNet is reporting that all OpenID and OAuth sites are vulnerable to an attack called "Covert Redirect". What is this attack, how does it work, and as an end user, how can I mitigate the risk?
Daniel Pryden
  • 895
  • 1
  • 6
  • 12
38
votes
3 answers

Why isn't PKCE encouraged for Single-Page Apps?

A lot of services today still recommend the implicit flow for an OpenID Connect/Oauth2 token exchange when developing Single-Page Apps. (See Okta - now recommends PKCE w/ implicit fallback, Google, Auth0) Some newer guidance out there points towards…
someone1
  • 686
  • 1
  • 7
  • 10
33
votes
3 answers

When do you use OpenID vs. OpenID Connect

Can they be used together? ....or are they two separate protocols that may or may not be useful depending on the context? The reason I ask is because I'm trying to implement the following: User "Bob" goes to a Client implemented as a User-Agent…
tjb1982
  • 433
  • 1
  • 4
  • 7
23
votes
4 answers

How does using OpenID affect webapp security?

Using OpenID for authenticating users grows in popularity and, in fact, makes a webapp easier to use. But what are the security considerations one should bear in mind when deciding whether to implement an OpenID or not? Is it suitable for any kind…
rem
  • 2,017
  • 2
  • 19
  • 27
22
votes
1 answer

Does the practice of blocking an off-site "Referer:" HTTP requests improve website security?

Is there any benefit for a security-paranoid website to disallow HTTP requests that have a Referer: from 3rd party sites? The pitch is that if such a HTTP request were to come in, then certain XSS attacks would be prevented, and certain OpenID…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
21
votes
7 answers

Appropriate password requirements for a login (OpenID) service/provider/delegate/thing

This is with regards* to Stack Exchange's upcoming OpenID provider (and in particular, discussion about password requirements). Currently, password requirements are: Must contain 3 of: lower case character, upper case character, number, special…
Kevin Montrose
  • 311
  • 1
  • 7
21
votes
3 answers

Isn't openid with http an issue?

Many openid enabled sites default to http identifiers, even if the openid provider supports https (such as myopenid.com). Does this pose a threat beside the identity being exposed? The second step of the openid authentication includes a verification…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
19
votes
2 answers

Essential things to think about before outsourcing authentication with OpenID, OAuth, or SAML

It's clear there there is no consistent set of features among any of the popular authentication providers. Below is an attempt to aggregate the similarities and differences I've noticed, but I would appreciate your advice on what additional…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
16
votes
4 answers

Are malicious relying parties able to abuse OpenID logins?

if I logon with OpenID into a website (crafted by attackers/hackers) I want to know how much damage can they do to me? Are they able to steal my contact info, name, etc (assuming I'm using Gmail OpenId)
Pacerier
  • 3,253
  • 6
  • 34
  • 61
16
votes
2 answers

Why is OpenID considered secure when password reuse is not?

OpenID allows you to use your e.g. Google/Facebook/Microsoft account to log into a third party website. It can be used to log into Stack Exchange. Why is this considered an acceptable practice, while password reuse is not? Does it not amount to…
JonnyWizz
  • 1,971
  • 1
  • 14
  • 34
14
votes
2 answers

What are OpenID scopes and claims?

I need to implement SSO on our web API and I was reading about OpenID and IdentityServer. This is my first connection with SSO, OAuth and OpenID. In the presentation movies I heard a lot about scopes and claims, but the presenter never explained…
Buda Gavril
  • 255
  • 1
  • 2
  • 5
12
votes
1 answer

What encryption prevents the tampering of Windows Identity Foundation (WIF) FedAuth cookies?

It occurred to me that the WIF FedAuth cookies contain identity information, that if tampered with, could permit someone to assume the identity of another user. Fortunately, WIF does cryptographically Authenticate the message, but I don't…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
2 3 4 5 6 7