Privacy-Preserving Single Sign-On
02-27, 12:00–12:30 (UTC), Kaldalón

We present recent advances that improve the privacy of SSO protocols such as OIDC: our approach supports RP authentication, RP-bound tokens and RP-specific pseudonyms - all without the IdP learning the identity of the RP the user wants to access.


OpenID Connect (OIDC) is a Single Sign-On (SSO) protocol that allows users to authenticate to various Relying Parties (RPs) via an Identity Provider (IdP). The main drawback of SSO is its lack of privacy, as the IdP learns the RP's identity at each user's login. OIDC supports several protocol flows, of which only one, the Implicit Flow, gives hope for any privacy, as it does not require direct communication between the IdP and RP. This design was initially intended for RPs with technical limitations that prevent them from storing credentials and thus authenticating to the IdP. However, RP authentication is crucial to ensure that users only access properly registered RPs. As a result, the Implicit Flow has been deprecated in the ongoing OIDC/OAuth specification process.

We propose a privacy-preserving protocol that incorporates RP authentication into the Implicit Flow. That is, the IdP can restrict its service to authenticated RPs and tie each authentication token to a specific RP, but without learning which RP the user is accessing. Our work further supports unlinkable authentication towards RPs. In SSO, this is realized via Pairwise Pseudonymous Identifiers (PPID), where the IdP assigns the user an RP-specific pseudonym. We propose the first SSO system that can provide such pseudonymous authentication in an unobservable yet strongly secure manner. That is, the IdP blindly derives the user's pairwise pseudonym for the targeted RP without learning the RP's identity. Our protocol maintains the convenience of classic SSO, as it does not require any key material handled by the user.

Our construction combines signatures with efficient proofs-of-knowledge with a blind, yet verifiable, evaluation of the Hashed-Diffie-Hellman PRF. We have proven the security of our protocol and demonstrated its efficiency through a prototypical implementation, which requires a running time of 2-12ms per involved party.

This talk is based on joined work with Anja Lehmann and Cavit Özbay:
- Maximilian Kroschewski, Anja Lehmann. Save The Implicit Flow? Enabling Privacy-Preserving RP Authentication in OpenID Connect. PETS 2023. https://petsymposium.org/popets/2023/popets-2023-0100.php
- Maximilian Kroschewski, Anja Lehmann, Cavit Özbay. OPPID: Single Sign-On with Oblivious Pairwise Pseudonyms. https://eprint.iacr.org/2024/1124