Awesome OAuth2.0 and OpenID Connect Security

OAuth2.0 and OpenID from an information security perspective.

Specifications

The OAuth 2.0 Authorization Framework (RFC 6749)
OAuth 2.0 Threat Model and Security Considerations (RFC 6819)

Articles

OAuth 2 Simplified
OAuth 2.0
Diagrams And Movies Of All The OAuth 2.0 Flows
Which OAuth 2.0 Flow Should I Use?
Publications about OAuth & OIDC by Daniel Fett

OpenID Connect

OpenID Connect
Understanding ID Token
Inclusion Relation among JWS, JWE, JWT, ID Token and Access Token
[pdf] OpenID Connect Security Considerations
OpenID Specifications

Cheatsheets

OAuth 2.0 Threat Model Pentesting Checklist
Hack3rScr0lls OAuth2.0 attacking mindmap
OAuth to Account takeover
OAuth 2.0 Vulnerabilities
OpenID Connect Vulnerabilities
OAuth by Sakurity
OAuth 2.0 Security Cheat Sheet (by Koen Buyens)
OAuth to Account takeover

Laboratories / Learning Materials

OAuth 2.0 authentication vulnerabilities (PortSwigger)
Damn Vulnerable OAuth 2.0 Applications
HackTheBox Oouch machine (retired)
Spring Security OAuth2 Remote Command Execution Vulnerability (CVE-2016-4977)
PentesterLab Pro Exercises (filter by "OAuth")

HackerOne Reports

Top OAuth reports from HackerOne
#317476 Account takeover in Periscope TV (Host header poisoning)

Bug Bounty Writeups

Bypassing GitHub's OAuth flow
Traveling with OAuth - Account Takeover on Booking.com
Multiple bugs chained to takeover Facebook Accounts which uses Gmail

CTF Writeups

[video] HackTheBox - Oouch (by IppSec)
Hacktivity'20 Notes Surfer task

Attacking OAuth

[video] How to Hack OAuth by Aaron Parecki
Egor Homakov's OAuth blogposts
Common OAuth issue you can use to take over accounts
The Most Common OAuth2 Vulnerability
Hidden OAuth attack vectors
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Salt Labs exposes a new vulnerability in popular OAuth framework Expo, used in hundreds of online services

Securing OAuth

Prevent Attacks and Redirect Users with OAuth 2.0 State Parameters
How to prevent OAuth authentication vulnerabilities
OAuth 2.0 Security Best Current Practice
API Security Checklist (OAuth)

Tools / Applications / Scripts

Jwtear - A modular command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.

Playgrounds

OAUTH.TOOLS
Google OAuth 2.0 Playground
OAuth.com Playground

JWT (JSON Web Token) Security

Attacking JWT authentication
Practical Approaches for Testing and Breaking JWT Authentication
reddit discussion about "Practical Approaches for Testing and Breaking JWT Authentication"

Books

Books about OAuth 2.0 (by oauth.net)
Advanced API Security: OAuth 2.0 and Beyond (2nd edition)
API Security in Action
OAuth 2.0: Getting Started in Web-API Security

Name		Name	Last commit message	Last commit date
Latest commit History 28 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Awesome OAuth2.0 and OpenID Connect Security

Specifications

Articles

OpenID Connect

Cheatsheets

Laboratories / Learning Materials

HackerOne Reports

Bug Bounty Writeups

CTF Writeups

Attacking OAuth

Securing OAuth

Tools / Applications / Scripts

Playgrounds

JWT (JSON Web Token) Security

Books

About

b1narygl1tch/awesome-oauth-sec

Folders and files

Latest commit

History

Repository files navigation

Awesome OAuth2.0 and OpenID Connect Security

Specifications

Articles

OpenID Connect

Cheatsheets

Laboratories / Learning Materials

HackerOne Reports

Bug Bounty Writeups

CTF Writeups

Attacking OAuth

Securing OAuth

Tools / Applications / Scripts

Playgrounds

JWT (JSON Web Token) Security

Books

About

Topics

Resources

Stars

Watchers

Forks