Everybody's Looking for SSOmething: A large-scale evaluation on the privacy of OAuth authentication on the web
Authors: Yana Dimova (imec-DistriNet, KU Leuven), Tom Van Goethem (Google / imec-DistriNet, KU Leuven), Wouter Joosen (imec-DistriNet, KU Leuven)
Volume: 2023
Issue: 4
Pages: 452–467
DOI: https://doi.org/10.56553/popets-2023-0119
Abstract: The management of many different login credentials can be tricky for the average web user. OAuth eases this process by invoking identity providers (IdPs) as intermediaries, which identify the users and access their data on behalf of the website, without sharing their credentials. However, the information that IdPs share with websites is not always limited to basic data. Our work observes and documents that IdPs make a variety of resources (scopes) available to be requested by websites, most of which are not necessary for user identification (e.g., location, interests). By performing a large-scale analysis on OAuth-based login on the web, we show that 18.53% of websites using OAuth request at least one non-minimal scope. Additionally, our findings show that at least part of the requested information is redundant since websites provide alternative login methods that require less information from the user. Moreover, through a manual analysis we observe that revoking access to these scopes seems not to hinder the functionality of the website. Finally, when comparing OAuth-based login with registering a new account, we find that OAuth is often the more privacy-friendly option in terms of the amount of personal data being shared with the website.
Keywords: SSO, OAuth, privacy measurement
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.