{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,19]],"date-time":"2026-03-19T07:03:45Z","timestamp":1773903825835,"version":"3.50.1"},"reference-count":47,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2015,3,9]],"date-time":"2015-03-09T00:00:00Z","timestamp":1425859200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,3,9]]},"abstract":"\n Purpose<\/jats:title>\n \u2013 The interoperability of cloud data between web applications and mobile devices has vastly improved over recent years. The popularity of social media, smartphones and cloud-based web services have contributed to the level of integration that can be achieved between applications. This paper investigates the potential security issues of OAuth, an authorisation framework for granting third-party applications revocable access to user data. OAuth has rapidly become an interim de facto<\/jats:italic> standard for protecting access to web API data. Vendors have implemented OAuth before the open standard was officially published. To evaluate whether the OAuth 2.0 specification is truly ready for industry application, an entire OAuth client server environment was developed and validated against the speciation threat model. The research also included the analysis of the security features of several popular OAuth integrated websites and comparing those to the threat model. High-impacting exploits leading to account hijacking were identified with a number of major online publications. It is hypothesised that the OAuth 2.0 specification can be a secure authorisation mechanism when implemented correctly. <\/jats:p>\n <\/jats:sec>\n \n Design\/methodology\/approach<\/jats:title>\n \u2013 To analyse the security of OAuth implementations in industry a list of the 50 most popular websites in Ireland was retrieved from the statistical website Alexa (Noureddine and Bashroush, 2011). Each site was analysed to identify if it utilised OAuth. Out of the 50 sites, 21 were identified with OAuth support. Each vulnerability in the threat model was then tested against each OAuth-enabled site. To test the robustness of the OAuth framework, an entire OAuth environment was required. The proposed solution would compose of three parts: a client application, an authorisation server and a resource server. The client application needed to consume OAuth-enabled services. The authorisation server had to manage access to the resource server. The resource server had to expose data from the database based on the authorisation the user would be given from the authorisation server. It was decided that the client application would consume emails from Google\u2019s Gmail API. The authorisation and resource server were modelled around a basic task-tracking web application. The client application would also consume task data from the developed resource server. The client application would also support Single Sign On for Google and Facebook, as well as a developed identity provider \u201cMyTasks\u201d. The authorisation server delegated authorisation to the client application and stored cryptography information for each access grant. The resource server validated the supplied access token via public cryptography and returned the requested data. <\/jats:p>\n <\/jats:sec>\n \n Findings<\/jats:title>\n \u2013 Two sites out of the 21 were found to be susceptible to some form of attack, meaning that 10.5 per cent were vulnerable. In total, 18 per cent of the world\u2019s 50 most popular sites were in the list of 21 OAuth-enabled sites. The OAuth 2.0 specification is still very much in its infancy, but when implemented correctly, it can provide a relatively secure and interoperable authentication delegation mechanism. The IETF are currently addressing issues and expansions in their working drafts. Once a strict level of conformity is achieved between vendors and vulnerabilities are mitigated, it is likely that the framework will change the way we access data on the web and other devices. <\/jats:p>\n <\/jats:sec>\n \n Originality\/value<\/jats:title>\n \u2013 OAuth is flexible, in that it offers extensions to support varying situations and existing technologies. A disadvantage of this flexibility is that new extensions typically bring new security exploits. Members of the IETF OAuth Working Group are constantly refining the draft specifications and are identifying new threats to the expanding functionality. OAuth provides a flexible authentication mechanism to protect and delegate access to APIs. It solves the password re-use across multiple accounts problem and stops the user from having to disclose their credentials to third parties. Filtering access to information by scope and giving the user the option to revoke access at any point gives the user control of their data. OAuth does raise security concerns, such as defying phishing education, but there are always going to be security issues with any authentication technology. Although several high impacting vulnerabilities were identified in industry, the developed solution proves the predicted hypothesis that a secure OAuth environment can be built when implemented correctly. Developers must conform to the defined specification and are responsible for validating their implementation against the given threat model. OAuth is an evolving authorisation framework. It is still in its infancy, and much work needs to be done in the specification to achieve stricter validation and vendor conformity. Vendor implementations need to become better aligned in order to provider a rich and truly interoperable authorisation mechanism. Once these issues are resolved, OAuth will be on track for becoming the definitive authentication standard on the web.<\/jats:p>\n <\/jats:sec>","DOI":"10.1108\/ics-12-2013-0089","type":"journal-article","created":{"date-parts":[[2015,2,26]],"date-time":"2015-02-26T06:35:30Z","timestamp":1424932530000},"page":"73-101","source":"Crossref","is-referenced-by-count":29,"title":["Security evaluation of the OAuth 2.0 framework"],"prefix":"10.1108","volume":"23","author":[{"given":"Eugene","family":"Ferry","sequence":"first","affiliation":[]},{"given":"John","family":"O Raw","sequence":"additional","affiliation":[]},{"given":"Kevin","family":"Curran","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020122521294139700_b1","unstructured":"Alexa\n (2013), Top Sites by Category: Regional\/Europe\/Ireland, available at: www.alexa.com\/topsites\/category\/Top\/Regional\/Europe\/Ireland (accessed 14 March 2013)."},{"key":"key2020122521294139700_b4","doi-asserted-by":"crossref","unstructured":"Bansal, C.\n , \n Bhargavan, K.\n , \n Delignat-Lavaud, A.\n and \n Maffeis, S.\n (2013), \u201cKeys to the cloud: formal analysis and concrete attacks on encrypted web storage\u201d, Second International Conference on Principles of Security and Trust \u2013 POST, Rome, Italy, pp. 126-146.","DOI":"10.1007\/978-3-642-36830-1_7"},{"key":"key2020122521294139700_b3","doi-asserted-by":"crossref","unstructured":"Bansal, C.\n , \n Bhargavan, K.\n and \n Maffies, S.\n (2012), \u201cDiscovering concrete attacks on website authorization by formal analysis\u201d, \n IEEE 25th Computer Security Foundations Symposium\n , Harvard University, Cambridge, MA, pp. 247-262.","DOI":"10.1109\/CSF.2012.27"},{"key":"key2020122521294139700_b5","doi-asserted-by":"crossref","unstructured":"Boshmaf, Y.\n , \n Muslukhov, I.\n , \n Beznosov, K.\n and \n Ripeanu, M.\n (2011), \u201cThe socialbot network: when bots socialize for fame and money\u201d, 2011 Annual Computer Security Applications Conference, Orlando, FL, pp. 93-102.","DOI":"10.1145\/2076732.2076746"},{"key":"key2020122521294139700_b8","unstructured":"Browser Auth\n (2013), \n Channel-Bound Cookies\n , available at: www.browserauth.net\/channel-bound-cookies (accessed 4 March 2013)."},{"key":"key2020122521294139700_b9","unstructured":"Campbell, B.\n and \n Mortimore, C.\n (2012), \n SAML 2.0 Bearer Assertion Profiles for OAuth 2.0\n , available at: http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-saml2-bearer-15 (accessed 20 January 2013)."},{"key":"key2020122521294139700_b10","unstructured":"Campbell, B.\n , \n Mortimore, C.\n and \n Jones, M.\n \n (2012), \n JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0\n , available at: http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-jwt-bearer-04 (accessed 20 January 2013)."},{"key":"key2020122521294139700_b11","unstructured":"Campbell, B.\n , \n Mortimore, C.\n , \n Jones, M.\n and \n Goland, Y.\n \n (2013), \n Assertion Framework for OAuth 2.0\n , available at: http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-assertions-10 (accessed 20 January 2013)."},{"key":"key2020122521294139700_b12","unstructured":"Cloud Identity\n (2011), \n OAuth Dynamic Client Registration\n , available at: https:\/\/dev.cloudidentity.co.uk\/confluence\/display\/CI\/OAuth+Dynamic+Client+Registration (accessed 2 March 2013)."},{"key":"key2020122521294139700_b13","unstructured":"Connolly, P.J.\n (2010), \u201cOAuth is the \u2018hottest thing\u2019 in identity management\u201d, \n eWeek\n , Vol. 27 No 9, pp. 12-14."},{"key":"key2020122521294139700_b14","doi-asserted-by":"crossref","unstructured":"Dinesha, A.\n and \n Agrawal, K.\n (2012), \u201cMulti-level authentication technique for accessing cloud services\u201d, International Conference on Computing, Communication and Applications, 22-24 February, Dindigul, Tamil Nadu.","DOI":"10.1109\/ICCCA.2012.6179130"},{"key":"key2020122521294139700_b15","doi-asserted-by":"crossref","unstructured":"Duggan, G.\n (2012), \u201cRational security: modelling everyday password use\u201d, \n International Journal of Human-Computer Studies\n , Vol. 70 No. 6, pp. 415-431.","DOI":"10.1016\/j.ijhcs.2012.02.008"},{"key":"key2020122521294139700_b16","unstructured":"Duggan, M.\n and \n Brenner, J.\n (2013), \u201cThe demographics of social media users \u2013 2012\u201d, Pew Research Center, Washington, DC."},{"key":"key2020122521294139700_b19","doi-asserted-by":"crossref","unstructured":"Gomaa, I.\n , \n Salama, G.\n and \n Imam, I.\n (2012), \u201cBiometric OAuth service based on finger-knuckles\u201d, \n Computer Engineering & Systems\n , 27-29 \n November, Cairo, pp. 170-175.","DOI":"10.1109\/ICCES.2012.6408506"},{"key":"key2020122521294139700_b21","unstructured":"Google Chrome\n (2013), \u201cGoogle Chrome privacy whitepaper\u201d, available at: www.google.com\/intl\/en\/chrome\/browser\/privacy\/whitepaper.html (accessed 14 April 2013)."},{"key":"key2020122521294139700_b23","doi-asserted-by":"crossref","unstructured":"Grosse, E.\n and \n Upadhyay, M.\n (2013), \u201cAuthentication at scale\u201d, \n IEEE Security & Privacy\n , Vol. 11 No. 1, pp. 15-22.","DOI":"10.1109\/MSP.2012.162"},{"key":"key2020122521294139700_b24","doi-asserted-by":"crossref","unstructured":"Hardt, E.\n (2012), \n The OAuth 2.0 Authorization Framework\n , available at: http:\/\/tools.ietf.org\/html\/rfc6749 (accessed 24 November 2012).","DOI":"10.17487\/rfc6749"},{"key":"key2020122521294139700_b25","unstructured":"Hardt, E.\n and \n Jones, M.\n (2012), \n The OAuth 2.0 Authorization Framework: Bearer Token Usage\n , available at: http:\/\/tools.ietf.org\/html\/rfc6750 (accessed 29 March 2013)."},{"key":"key2020122521294139700_b26","unstructured":"Honan, M.\n (2012), \n How Apple and Amazon Security Flaws Led to My Epic Hacking\n , available at: www.wired.com\/gadgetlab\/2012\/08\/apple-amazon-mat-honan-hacking (accessed 4 December 2012)."},{"key":"key2020122521294139700_b27","unstructured":"Huang, L.\n , \n Moshchuk, A.\n , \n Wang, J.\n , \n Schechter, S.\n and \n Jackson, C.\n (2012), \u201cClickjacking: attacks and defenses\u201d, 21st \n USENIX Security Symposium, Bellevue, WA, pp. 413-428."},{"key":"key2020122521294139700_b28","unstructured":"IETF\n (2012), \u201cWeb authorization protocol (OAuth) \u2013 Charter\u201d, available at: http:\/\/datatracker.ietf.org\/wg\/oauth\/charter (accessed 2 March 2013)."},{"key":"key2020122521294139700_b29","unstructured":"Jannikmeyer, P.\n (2013), \u201cNumber news\u201d, \n Engineering & Technology\n , Vol. 8 No. 2, p. 20."},{"key":"key2020122521294139700_b30","unstructured":"Jones, M.\n , \n Balfanz, D.\n , \n Bradley, J.\n , \n Goland, Y.\n , \n Panzer, J.\n , \n Sakimura, N.\n and \n Tarjan, P.\n \n (2011), \n JSON Web Token (JWT\n ), available at: http:\/\/tools.ietf.org\/html\/draft-jones-json-web-token-10 (accessed 21 January 2013)."},{"key":"key2020122521294139700_b31","doi-asserted-by":"crossref","unstructured":"Lakshmiraghavan, B.\n (2013), \n Pro ASP.NET Web API Security\n , 1st ed., Apress, New York, NY.","DOI":"10.1007\/978-1-4302-5783-7_1"},{"key":"key2020122521294139700_b32","doi-asserted-by":"crossref","unstructured":"Leiba, B.\n (2012), \u201cOAuth web authorization protocol\u201d, \n IEEE Internet Computing\n , Vol. 16 No. 1, pp. 74-77.","DOI":"10.1109\/MIC.2012.11"},{"key":"key2020122521294139700_b34","unstructured":"Lodderstedt, T.\n , \n McGloin, M.\n and \n Hunt, P.\n (2013), \n OAuth 2.0 Threat Model and Security Considerations\n , available at: http:\/\/tools.ietf.org\/html\/rfc6819 (accessed 29 March 2013)."},{"key":"key2020122521294139700_b35","doi-asserted-by":"crossref","unstructured":"Noureddine, M.\n and \n Bashroush, R.\n (2011), \u201cA provisioning model towards OAuth 2.0 performance optimization\u201d, 2011 10th IEEE International Conference on Cybernetic Intelligent Systems, New York, NY, pp. 76-80.","DOI":"10.1109\/CIS.2011.6169138"},{"key":"key2020122521294139700_b36","unstructured":"OAISIS\n (2008), \n Security Assertion Markup Language (SAML) V2.0 Technical Overview\n , available at: www.oasis-open.org\/committees\/download.php\/27819\/sstc-saml-tech-overview-2.0-cd-02.pdf (accessed 21 January 2013)."},{"key":"key2020122521294139700_b37","doi-asserted-by":"crossref","unstructured":"Obrenovic\u2032, Z.\n and \n den Haak, B.\n (2012), \u201cIntegrating user customization and authentication: the identity crisis\u201d, \n Security & Privacy\n , Vol. 10 No. 5, pp. 82-85.","DOI":"10.1109\/MSP.2012.119"},{"key":"key2020122521294139700_b40","unstructured":"Richer, J.\n , \n Bradley, J.\n , \n Jones, M.\n and \n Machulak, M.\n (2013), \n OAuth Dynamic Client Registration Protocol\n , available at: http:\/\/tools.ietf.org\/html\/draft-ietf-oauth-dyn-reg-07 (accessed 3 April 2013)."},{"key":"key2020122521294139700_b41","unstructured":"Richer, J.\n , \n Mills, W.\n and \n Tschofenig, H.\n \n (2013), \n OAuth 2.0 Message Authentication Code (MAC) Tokens\n , available at: http:\/\/tools.ietf.org\/pdf\/draft-ietf-oauth-v2-http-mac-03.pdf (accessed 23 March 2013)."},{"key":"key2020122521294139700_b43","unstructured":"Sakimura, N.\n , \n Bradley, J.\n and \n Jones, M.\n (2013), \n OpenID Connect Dynamic Client Registration 1.0 \u2013 Draft 14\n , available at: http:\/\/openid.net\/specs\/openid-connect-registration-1_0.html (accessed 3 April 2013)."},{"key":"key2020122521294139700_b42","unstructured":"Sakimura, N.\n , \n Bradley, J., Jones, \n , \n M.de Medeiros, \n , \n B.Mortimore, \n and \n C.\n (2013), \n OpenID Connect Basic Client Profile 1.0 \u2013 Draft 23\n , available at: http:\/\/openid.net\/specs\/openid-connect-basic-1_0.html (accessed 24 January 2013)."},{"key":"key2020122521294139700_b44","unstructured":"SalesForce\n (2012), \n SAML Assertion Flow\n , available at: http:\/\/help.salesforce.com\/help\/doc\/en\/remoteaccess_oauth_SAML_bearer_flow.htm (accessed 25 February 2013)."},{"key":"key2020122521294139700_b45","doi-asserted-by":"crossref","unstructured":"Shehab, M.\n and \n Marouf, S.\n (2012), \u201cRecommendation models for open authorization\u201d, \n IEEE Transactions on Dependable and Secure Computing\n , Vol. 9 No. 4, pp. 583-595.","DOI":"10.1109\/TDSC.2012.34"},{"key":"key2020122521294139700_b46","unstructured":"Sun, S.\n and \n Beznosov, K.\n (2012), \u201cAn empirical analysis of OAuth SSO systems\u201d, 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, pp. 378-390."},{"key":"key2020122521294139700_b47","unstructured":"Twitter\n (2012), PIN-based Authorization, Available at: https:\/\/dev.twitter.com\/docs\/auth\/pin-based-authorization (accessed 11 February 2013)."},{"key":"key2020122521294139700_frd1","unstructured":"Alexa \n \n (2013), \n Huffingtonpost.com Site Info, available at: www.alexa.com\/siteinfo\/huffingtonpost.com (accessed 16 March 2013)."},{"key":"key2020122521294139700_frd2","unstructured":"Boshmaf, Y.\n , \n Muslukhov, I.\n , \n Beznosov, K.\n and \n Ripeanu, M.\n (2012), \u201cKey challenges in defending against malicious socialbots\u201d, 5th USENIX Conference on Large-Scale Exploits and Emergent Threats \u2013 LEET, San Jose, CA."},{"key":"key2020122521294139700_frd3","unstructured":"Boyd, R.\n (2012), \n Getting Started with OAuth 2.0\n ., 1st ed., O\u2019Reilly Media, CA."},{"key":"key2020122521294139700_frd4","unstructured":"Facebook\n (2012), \n Login for Server-side Apps\n , available at: https:\/\/developers.facebook.com\/docs\/howtos\/login\/server-side-login\/ (accessed 22 February 2013)."},{"key":"key2020122521294139700_frd5","doi-asserted-by":"crossref","unstructured":"Ghazizadeh, E.\n , \n Zamani, M.\n , \n Manan, J.\n and \n Pashang, A.\n (2012), \u201cA survey on security issues of federated identity in the cloud computing\u201d, 2012 IEEE 4th International Conference on Cloud Computing Technology and Science, Taipei, Taiwan, pp. 562-565.","DOI":"10.1109\/CloudCom.2012.6427513"},{"key":"key2020122521294139700_frd6","unstructured":"Google\n (2012), \n Using OAuth 2.0 to Access Google APIs\n , available at: https:\/\/developers.google.com\/accounts\/docs\/OAuth2 (accessed 25 February 2013)."},{"key":"key2020122521294139700_frd7","unstructured":"GoogleDevelopers\n (2012), \n Google I\/O 2012 \u2013 OAuth 2.0 for Identity and Data Access\n , available at: www.youtube.com\/watch?v=YLHyeSuBspI (accessed 12 December 2012)."},{"key":"key2020122521294139700_frd8","doi-asserted-by":"crossref","unstructured":"Liu, K.\n and \n Xu, K.\n (2012), \u201cOAuth based authentication and authorization in open telco API\u201d, 2012 International Conference on Computer Science and Electronics Engineering, Hangzhou, China, pp. 176-179.","DOI":"10.1109\/ICCSEE.2012.275"},{"key":"key2020122521294139700_frd9","doi-asserted-by":"crossref","unstructured":"Pai, S.\n , \n Sharma, Y.\n , \n Kumar, S.\n , \n Pai, R.\n and \n Singh, S.\n (2011), \u201cFormal verification of OAuth 2.0 using alloy framework\u201d, IEEE International Conference on Communication Systems and Network Technologies 2011, Katra, Jammu, pp. 655-659.","DOI":"10.1109\/CSNT.2011.141"},{"key":"key2020122521294139700_frd10","unstructured":"Ping Identity\n (2011), The essential OAuth primer: understanding OAuth for securing cloud APIs, available at: www.innovation-district.com\/wp-content\/uploads\/2012\/04\/The-Essentials-of-OAuth.pdf (accessed 17 December 2012)."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/ICS-12-2013-0089","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2013-0089\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2013-0089\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:24Z","timestamp":1753406604000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/23\/1\/73-101\/111054"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,3,9]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2015,3,9]]}},"alternative-id":["10.1108\/ICS-12-2013-0089"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2013-0089","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2015,3,9]]}}}