About OAuch...

The OAuth 2.0 protocol is a popular and widely adopted authorization protocol. It has been proven secure in a comprehensive formal security analysis, yet new vulnerabilities continue to appear in popular OAuth implementations. OAuch tries to improve the security of the OAuth landscape by measuring how well individual authorization servers implement the security specifications defined in the OAuth standards, and by providing detailed and targeted feedback to the operators to improve the compliance of their service. OAuch tests and analyzes authorization servers according to the guidelines of the OAuth 2.0 standards and security best practices.

OAuch is developed by the Distrinet Research Group in the context of a research project on API security. It is available for free and the source code can be found on GitHub. Contact the OAuch team at info@oauch.io.

PUBLISHED PAPERS
OAuch: Exploring Security Compliance in the OAuth 2.0 Ecosystem

Authors: Pieter Philippaerts, Davy Preuveneers, Wouter Joosen
Published in the proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'22), October 26--28, 2022, Limassol, Cyprus [BibTeX] — Winner of the Best Practical Paper Award

Read the paper
Revisiting OAuth 2.0 Compliance: A Two-Year Follow-Up Study

Authors: Pieter Philippaerts, Davy Preuveneers, Wouter Joosen
Published in the proceedings of the 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), July 3--7, 2023, Delft, The Netherlands [BibTeX]

Read the paper
Is Your OAuth Middleware Vulnerable? Evaluating Open-Source Identity Providers' Security

Authors: Pieter Philippaerts, Jan Vanhoof, Tom Van Cutsem, Wouter Joosen
Published in the proceedings of the 2024 IEEE Global Communications Conference (GLOBECOM), December 8--12, 2024, Cape Town, South Africa [BibTeX]

Read the paper

OAuch has been presented on apisecure 2023. You can download the slides or watch the presentation on YouTube.

 

The OAuch logo is based on the OAuth logo created by Chris Messina. The logo is released under the Creative Commons Attribution ShareAlike 3.0 license.