{"id":"https://openalex.org/W2229250518","doi":"https://doi.org/10.1145/2976749.2978385","title":"A Comprehensive Formal Security Analysis of OAuth 2.0","display_name":"A Comprehensive Formal Security Analysis of OAuth 2.0","publication_year":2016,"publication_date":"2016-10-24","ids":{"openalex":"https://openalex.org/W2229250518","doi":"https://doi.org/10.1145/2976749.2978385","mag":"2229250518"},"language":"en","primary_location":{"id":"doi:10.1145/2976749.2978385","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2976749.2978385","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5019297588","display_name":"Daniel Fett","orcid":null},"institutions":[{"id":"https://openalex.org/I89864525","display_name":"Universit\u00e4t Trier","ror":"https://ror.org/02778hg05","country_code":"DE","type":"education","lineage":["https://openalex.org/I89864525"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Daniel Fett","raw_affiliation_strings":["University of Trier, Trier, Germany"],"affiliations":[{"raw_affiliation_string":"University of Trier, Trier, Germany","institution_ids":["https://openalex.org/I89864525"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088011494","display_name":"Ralf K\u00fcsters","orcid":"https://orcid.org/0000-0002-9071-9312"},"institutions":[{"id":"https://openalex.org/I89864525","display_name":"Universit\u00e4t Trier","ror":"https://ror.org/02778hg05","country_code":"DE","type":"education","lineage":["https://openalex.org/I89864525"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Ralf K\u00fcsters","raw_affiliation_strings":["University of Trier, Trier, Germany"],"affiliations":[{"raw_affiliation_string":"University of Trier, Trier, Germany","institution_ids":["https://openalex.org/I89864525"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5032615835","display_name":"Guido Schmitz","orcid":"https://orcid.org/0000-0002-3776-5475"},"institutions":[{"id":"https://openalex.org/I89864525","display_name":"Universit\u00e4t Trier","ror":"https://ror.org/02778hg05","country_code":"DE","type":"education","lineage":["https://openalex.org/I89864525"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Guido Schmitz","raw_affiliation_strings":["University of Trier, Trier, Germany"],"affiliations":[{"raw_affiliation_string":"University of Trier, Trier, Germany","institution_ids":["https://openalex.org/I89864525"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5019297588"],"corresponding_institution_ids":["https://openalex.org/I89864525"],"apc_list":null,"apc_paid":null,"fwci":32.6473,"has_fulltext":false,"cited_by_count":184,"citation_normalized_percentile":{"value":0.99633133,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1204","last_page":"1215"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9976000189781189,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.9952999949455261,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7777251601219177},{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.6528602838516235},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6482623815536499},{"id":"https://openalex.org/keywords/single-sign-on","display_name":"Single sign-on","score":0.5004496574401855},{"id":"https://openalex.org/keywords/identity-management","display_name":"Identity management","score":0.49985265731811523},{"id":"https://openalex.org/keywords/cryptographic-protocol","display_name":"Cryptographic protocol","score":0.48815780878067017},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.48490625619888306},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.44899410009384155},{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.4294929504394531},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.38215136528015137},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3113090991973877},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.2887457311153412}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7777251601219177},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.6528602838516235},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6482623815536499},{"id":"https://openalex.org/C2776362682","wikidata":"https://www.wikidata.org/wiki/Q568494","display_name":"Single sign-on","level":3,"score":0.5004496574401855},{"id":"https://openalex.org/C555379026","wikidata":"https://www.wikidata.org/wiki/Q977772","display_name":"Identity management","level":3,"score":0.49985265731811523},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.48815780878067017},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.48490625619888306},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.44899410009384155},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.4294929504394531},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.38215136528015137},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3113090991973877},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2887457311153412}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2976749.2978385","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2976749.2978385","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6100000143051147,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G7714915631","display_name":null,"funder_award_id":"KU 1434/10-1","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"}],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":28,"referenced_works":["https://openalex.org/W88388190","https://openalex.org/W1197495329","https://openalex.org/W1475974720","https://openalex.org/W1785797725","https://openalex.org/W1892518070","https://openalex.org/W1973054120","https://openalex.org/W1976371754","https://openalex.org/W1991596081","https://openalex.org/W1997143966","https://openalex.org/W2012921353","https://openalex.org/W2053070160","https://openalex.org/W2058664481","https://openalex.org/W2072978486","https://openalex.org/W2090184259","https://openalex.org/W2103475742","https://openalex.org/W2112578244","https://openalex.org/W2121845793","https://openalex.org/W2126123233","https://openalex.org/W2133723082","https://openalex.org/W2143504694","https://openalex.org/W2150387335","https://openalex.org/W2237651967","https://openalex.org/W2257521072","https://openalex.org/W2398053170","https://openalex.org/W2400427673","https://openalex.org/W2477631570","https://openalex.org/W2964194080","https://openalex.org/W3049379989"],"related_works":["https://openalex.org/W1844704486","https://openalex.org/W2213995339","https://openalex.org/W4386427074","https://openalex.org/W2728487846","https://openalex.org/W3062861","https://openalex.org/W4284961148","https://openalex.org/W2245771844","https://openalex.org/W1971172603","https://openalex.org/W2005308538","https://openalex.org/W2994032049"],"abstract_inverted_index":{"The":[0],"OAuth":[1,80,112,165],"2.0":[2,81,166],"protocol":[3],"is":[4],"one":[5],"of":[6,31,78,163],"the":[7,19,22,29,73,79,126,138,164],"most":[8],"widely":[9],"deployed":[10],"authorization/single":[11],"sign-on":[12],"(SSO)":[13],"protocols":[14],"and":[15,46,96,125,140,144,153,161,172,182],"also":[16],"serves":[17],"as":[18,157],"foundation":[20],"for":[21,100],"new":[23],"SSO":[24],"standard":[25,82,167],"OpenID":[26],"Connect.":[27],"Despite":[28],"popularity":[30],"OAuth,":[32],"so":[33],"far":[34],"analysis":[35,77,89,162],"efforts":[36],"were":[37,47],"mostly":[38],"targeted":[39],"at":[40,65,91],"finding":[41],"bugs":[42],"in":[43,83,137,177],"specific":[44],"implementations":[45],"based":[48],"on":[49],"formal":[50,63,76,104,108],"models":[51],"which":[52,101],"abstract":[53],"from":[54],"many":[55],"web":[56,86],"features":[57],"or":[58],"did":[59],"not":[60],"provide":[61,103],"a":[62],"treatment":[64],"all.":[66],"In":[67,106],"this":[68],"paper,":[69],"we":[70,102],"carry":[71],"out":[72],"first":[74],"extensive":[75],"an":[84],"expressive":[85],"model.":[87],"Our":[88,159],"aims":[90],"establishing":[92],"strong":[93],"authorization,":[94],"authentication,":[95],"session":[97],"integrity":[98],"guarantees,":[99],"definitions.":[105],"our":[107],"analysis,":[109],"all":[110],"four":[111],"grant":[113],"types":[114],"(authorization":[115],"code":[116],"grant,":[117,119,124],"implicit":[118],"resource":[120],"owner":[121],"password":[122],"credentials":[123,128],"client":[127],"grant)":[129],"are":[130,155,175],"covered.":[131],"They":[132],"may":[133],"even":[134],"run":[135],"simultaneously":[136],"same":[139],"different":[141],"relying":[142,149],"parties":[143],"identity":[145,151],"providers,":[146,152],"where":[147],"malicious":[148],"parties,":[150],"browsers":[154],"considered":[156],"well.":[158],"modeling":[160],"assumes":[168],"that":[169],"security":[170],"recommendations":[171],"best":[173],"practices":[174],"followed":[176],"order":[178],"to":[179],"avoid":[180],"obvious":[181],"known":[183],"attacks.":[184]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":25},{"year":2024,"cited_by_count":24},{"year":2023,"cited_by_count":23},{"year":2022,"cited_by_count":15},{"year":2021,"cited_by_count":22},{"year":2020,"cited_by_count":26},{"year":2019,"cited_by_count":16},{"year":2018,"cited_by_count":14},{"year":2017,"cited_by_count":14},{"year":2016,"cited_by_count":3}],"updated_date":"2026-04-01T17:29:45.350535","created_date":"2025-10-10T00:00:00"}