# OIDC (Open ID Connect)

OpenID Connect is an authentication layer built on OAuth 2.0. Testing focuses on token manipulation, redirect vulnerabilities, and misconfigurations.

## Common Implementations

```
- Keycloak (Red Hat)
- Okta
- Auth0
- Azure AD
- Amazon Cognito (AWS)
- Google Identity
- GitLab
- Bitbucket Server (Atlassian)
- Salesforce
```

## Discovery & Enumeration

### Well-Known Endpoints

```bash
# OIDC Configuration (always check this first)
curl https://target.com/.well-known/openid-configuration | jq

# Returns:
# - authorization_endpoint
# - token_endpoint
# - userinfo_endpoint
# - jwks_uri (JSON Web Key Set)
# - supported scopes, claims, grant types

# OAuth 2.0 Authorization Server Metadata
curl https://target.com/.well-known/oauth-authorization-server | jq

# WebFinger (for email-based discovery)
curl "https://target.com/.well-known/webfinger?resource=acct:user@target.com"
```

### Key Endpoints to Test

```bash
/authorize
/token
/userinfo
/logout
/revoke
/introspect
/.well-known/openid-configuration
/.well-known/jwks.json
```

## Token Attacks

### ID Token Manipulation

```bash
# Decode ID token (JWT)
echo "eyJhbGciOiJSUzI1NiIs..." | cut -d'.' -f2 | base64 -d | jq

# Check for weak algorithms
# Look for: alg: "none", "HS256" (when RS256 expected)

# Algorithm confusion attack
# Change RS256 to HS256 and sign with public key as secret
```

### Token Substitution

```bash
# Use token from one client for another
# 1. Get token from client A
# 2. Present to client B's resource server
# If aud (audience) claim not validated → vulnerable
```

### Refresh Token Abuse

```bash
# Test if refresh token can be used without client_secret
curl -X POST https://target.com/token \
  -d "grant_type=refresh_token" \
  -d "refresh_token=REFRESH_TOKEN" \
  -d "client_id=CLIENT_ID"

# Test refresh token rotation
# Can old refresh tokens still be used after rotation?
```

## Redirect URI Attacks

### Open Redirect

```bash
# Test redirect_uri manipulation
/authorize?client_id=X&redirect_uri=https://attacker.com
/authorize?client_id=X&redirect_uri=https://target.com.attacker.com
/authorize?client_id=X&redirect_uri=https://target.com%40attacker.com
/authorize?client_id=X&redirect_uri=https://target.com/callback/../../../attacker

# Bypass techniques
redirect_uri=https://target.com/callback?next=https://attacker.com
redirect_uri=https://target.com/callback#@attacker.com
redirect_uri=https://target.com/callback%0d%0aLocation:%20https://attacker.com
```

### Token Leakage via Redirect

```bash
# If token in URL fragment, test for:
# 1. Open redirect to leak fragment
# 2. Referrer header leakage
# 3. History API access
```

## SSRF via OIDC

```bash
# Test URI parameters for SSRF
redirect_uri=http://169.254.169.254/
redirect_uri=http://localhost:8080/
jwks_uri=http://internal-server/jwks.json

# Metadata URL manipulation (for dynamic client registration)
curl -X POST https://target.com/register \
  -H "Content-Type: application/json" \
  -d '{"redirect_uris":["http://attacker.com"],"jwks_uri":"http://internal:8080"}'
```

## State & Nonce Bypass

```bash
# Missing state parameter (CSRF)
# Remove state from authorization request
/authorize?client_id=X&redirect_uri=Y  # No state → CSRF possible

# State not bound to session
# Reuse state value from another session

# Missing nonce (replay attacks)
# Remove nonce from implicit flow requests
```

## Scope Abuse

```bash
# Request elevated scopes
/authorize?client_id=X&scope=openid+profile+email+admin+write

# Test scope escalation after consent
# Get consent for 'read', then request token with 'read write'
```

## Specific Provider Attacks

### Keycloak

```bash
# Admin console
/auth/admin/
/auth/admin/master/console/

# Realm info
/auth/realms/{realm}/.well-known/openid-configuration

# CVE-2020-1714 - Adapter token spoofing
# CVE-2020-1728 - SAML authentication bypass
```

### Azure AD

```bash
# Tenant enumeration
curl https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration

# Guest user abuse
# B2B guest tokens may have unexpected permissions
```

### AWS Cognito

```bash
# User pool info
curl https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration

# Test for self-registration if enabled
# Check attribute-based access control bypass
```

## Tools

```bash
# JWT testing
jwt_tool TOKEN -T  # Tamper mode
jwt_tool TOKEN -C -d wordlist.txt  # Crack secret

# Burp extensions
# - JSON Web Tokens
# - OAuth 2.0 Scanner
# - SAML Raider (for SAML/OIDC hybrid)

# OIDC testing
# https://github.com/AhmedMohamedDev/oidc-bash-client
```

## Related Topics

* [OAuth](/enumeration/webservices/oauth.md) - OIDC is built on OAuth 2.0
* [JWT](/enumeration/webservices/jwt.md) - ID tokens are JWTs
* [SSRF](/enumeration/web/ssrf.md) - URI parameters can be SSRF vectors


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/enumeration/webservices/oidc-open-id-connect.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.