{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T22:40:03Z","timestamp":1752446403328,"version":"3.41.2"},"publisher-location":"Cham","reference-count":22,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030812416"},{"type":"electronic","value":"9783030812423"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"DOI":"10.1007\/978-3-030-81242-3_19","type":"book-chapter","created":{"date-parts":[[2021,7,14]],"date-time":"2021-07-14T03:04:02Z","timestamp":1626231842000},"page":"325-337","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5595-2840","authenticated-orcid":false,"given":"Salimeh","family":"Dashti","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6290-3588","authenticated-orcid":false,"given":"Amir","family":"Sharif","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2853-4269","authenticated-orcid":false,"given":"Roberto","family":"Carbone","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7269-9285","authenticated-orcid":false,"given":"Silvio","family":"Ranise","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,7,14]]},"reference":[{"key":"19_CR1","unstructured":"Danezis, G., et al.: Privacy and data protection by design-from policy to engineering. arXiv preprint arXiv:1501.03726 (2015)"},{"key":"19_CR2","doi-asserted-by":"crossref","unstructured":"Dashti, S., Ranise, S.: A tool-assisted methodology for the data protection impact assessment. In: Proceedings of the International Conference on Security and Cryptography (2019)","DOI":"10.5220\/0007932202760283"},{"key":"19_CR3","doi-asserted-by":"crossref","unstructured":"Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: IEEE SPW (2015)","DOI":"10.1109\/SPW.2015.13"},{"key":"19_CR4","doi-asserted-by":"crossref","unstructured":"Hardt, D.: The OAuth 2.0 authorization framework. IETF (2012)","DOI":"10.17487\/rfc6749"},{"key":"19_CR5","unstructured":"Internet-Draft: International Government Assurance Profile (iGov) for OpenID Connect 1.0 (2018)"},{"key":"19_CR6","doi-asserted-by":"crossref","unstructured":"Jones, M., Bradley, J., Sakimura, N.: Json web token (JWT). IETF (2015)","DOI":"10.17487\/RFC7519"},{"key":"19_CR7","unstructured":"Krebs, B.: Internet bank account takeover of +1m users without user interaction. https:\/\/mrbriankrebs.medium.com\/internet-bank-account-takeover-of-1m-users-without-user-interaction-4fc9141740a3. Accessed 25 Mar 2021"},{"key":"19_CR8","doi-asserted-by":"crossref","unstructured":"Li, W., Mitchell, C.J.: User access privacy in OAuth 2.0 and OpenID connect. In: EuroS&PW. IEEE (2020)","DOI":"10.1109\/EuroSPW51379.2020.00095"},{"key":"19_CR9","unstructured":"Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice (draft-ietf-oauth-security-topics-16). IETF (2020)"},{"key":"19_CR10","doi-asserted-by":"crossref","unstructured":"Lodderstedt, T., McGloin, M., Hunt, P.: RFC 6819: OAuth 2.0 threat model and security considerations. IETF (2013)","DOI":"10.17487\/rfc6819"},{"key":"19_CR11","unstructured":"OpenID Foundation: Financial-grade API - part 1: Baseline security profile. https:\/\/openid.net\/certification\/. Accessed 23 Nov 2020"},{"key":"19_CR12","doi-asserted-by":"crossref","unstructured":"Richer, J., Johansson, L.: Vector of trust (RFC 8485). IETF (2018)","DOI":"10.17487\/RFC8485"},{"key":"19_CR13","unstructured":"Rost, M., Bock, K.: Privacy by design and the new protection goals. In: DuD, vol. 2009 (2011)"},{"issue":"6","key":"19_CR14","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1007\/s11623-009-0072-9","volume":"33","author":"M Rost","year":"2009","unstructured":"Rost, M., Pfitzmann, A.: Datenschutz-schutzziele\u2013revisited. Datenschutz und Datensicherheit-DuD 33(6), 353\u2013358 (2009)","journal-title":"Datenschutz und Datensicherheit-DuD"},{"key":"19_CR15","unstructured":"Sakimura, N.: Authorization delegation: a financial accounts aggregation use case. https:\/\/nat.sakimura.org\/2016\/01\/29\/authorization-delegation-a-financial-accounts-aggregation-use-case\/. Accessed 25 Mar 2021"},{"key":"19_CR16","unstructured":"Sakimura, N., Bradley, J., Jay, E.: Financial-grade API - part 1: Baseline security profile. Accessed 23 Nov 2020"},{"key":"19_CR17","unstructured":"Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID connect core 1.0 incorporating errata set 1. The OpenID Foundation 335 (2014)"},{"key":"19_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1007\/978-3-319-12206-9_28","volume-title":"Conceptual Modeling","author":"A Siena","year":"2014","unstructured":"Siena, A., Morandini, M., Susi, A.: Modelling risks in open source software component selection. In: Yu, E., Dobbie, G., Jarke, M., Purao, S. (eds.) ER 2014. LNCS, vol. 8824, pp. 335\u2013348. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-12206-9_28"},{"key":"19_CR19","unstructured":"Similartech.com: Login providers. https:\/\/www.similartech.com\/categories\/login-provider. Accessed 29 Dec 2020"},{"key":"19_CR20","doi-asserted-by":"crossref","unstructured":"Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of ACM ASIACCS (2012)","DOI":"10.1145\/2382196.2382238"},{"key":"19_CR21","unstructured":"Torsten, L., Daniel, F.: OpenID connect for identity assurance 1.0. https:\/\/openid.net\/specs\/openid-connect-4-identity-assurance-1_0.html. Accessed 19 June 2019"},{"key":"19_CR22","unstructured":"Wuyts, K., Scandariato, R., Joosen, W., Deng, M., Preneel, B.: LINDDUN: a privacy threat analysis framework (2019)"}],"container-title":["Lecture Notes in Computer Science","Data and Applications Security and Privacy XXXV"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-81242-3_19","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T22:03:06Z","timestamp":1752444186000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-81242-3_19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030812416","9783030812423"],"references-count":22,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-81242-3_19","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"14 July 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DBSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"IFIP Annual Conference on Data and Applications Security and Privacy","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Calgary, AB","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Canada","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 July 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 July 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"35","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dbsec2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/wpsites.ucalgary.ca\/dbsec2021\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"45","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"15","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"33% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}