What is OIDC?

Open ID Connect (OIDC), often called “Social Login”, is a standard defined to allow users to use existing authentication method/vehicle leveraging credentials used for partner trusted sites to access another site without needing to set up unique credentials. OIDC is a standard for authentication and authorization that builds on top of OAuth 2.0. It provides a way for clients to verify the identity of the end-user based on the authentication performed by an authorization server.

However, there are several security concerns that need to be considered when using OIDC:

‍

Data leakage. Sensitive data like access tokens, ID tokens, and user profiles can leak if they are not stored or transmitted securely.

Phishing attacks. End-users can be easily tricked into revealing their OIDC credentials if phishing attacks are not prevented.

Cross-Site Request Forgery (CSRF). CSRF attacks are used to compromise OIDC authentication flows with missing security measures.

Token hijacking. Tokens can be stolen and used by unauthorized parties if they are not properly secured.

Man-in-the-middle (MITM) attacks. Attackers intercept communication between the client and the authorization SaaS service to steal sensitive information.

Insufficient logging and monitoring. Insufficient logging and monitoring can make it difficult to detect and respond to security incidents.

‍

To mitigate these security concerns, it is important to properly implement OIDC and follow best practices, such as using SSL/TLS for all communications, implementing proper authentication and authorization controls, and regularly monitoring and logging OIDC-related activity.

‍

‍