Session fixation is a well-known problem in web security [1], and was historically observed in OAuth 1.0 [2] and mitigated in several OAuth 2.0-related standards [3] such as cross-device flows [4] and OpenID4VP [5]. However, while session fixation has been discussed in such specialized settings, the threat is not modeled in the OAuth Security BCP (RFC9700) [6], and its real-world susceptibility has not been systematically analyzed in mainstream OAuth 2.0 authorization code grant deployments for same-device usage.

Modern applications—such as productivity apps, automation platforms, and AI agents—orchestrate across external tools and SaaS integrations through cloud-based "connectors". To obtain authorized access to connector accounts, these applications rely extensively on OAuth 2.0 for account linking, through which they link connector accounts to application accounts and maintain persistent OAuth connections.

In such "connector ecosystems", applications may either self-manage their OAuth clients, or rely on managed infrastructures where OAuth responsibilities (token retrieval and lifecycle management) are outsourced to a "Token Vault". In both cases, the OAuth client would commonly introduce dedicated auth sessions that are separate from the application's existing user sessions. Such auth sessions keep track of the application's authorization context (e.g., the expected application account to utilize the tokens) across disparate web origins, user agents, and trust domains during OAuth flows.

By systematizing real-world OAuth architectural patterns, we show that over-reliance on such auth sessions can inadvertently break session integrity in OAuth. This issue enables session fixation attacks across more than 40 vendors in connector ecosystems.
In such attacks:

• An attacker tricks a victim into authorizing an OAuth flow initiated by the attacker, which fixates an attacker-controlled auth session in the victim’s user agent.
• After the victim completes authorization, the attacker gains access to the victim’s protected resources, leading to connector account takeovers.
• In many cases, a single click on an unassuming hyperlink is all it takes for a user to be compromised.

In this talk, we further explain why session fixation attacks emerge in connector ecosystems, and how they can be mitigated (e.g., [7] [8] [9] [10] [11]). Notably, these issues are not merely the result of careless implementation, but arise from the architectural decoupling of OAuth responsibilities (the OAuth client) and session management (the application) across different components or entities that were traditionally treated as a single "client application".

We also discuss our initial efforts to model these deployment scenarios and security considerations, proposing potential updates to the OAuth Security BCP [12] [13] as a call to action for the community.

Co-authors: Kaixuan Luo, Xianbo Wang, Adonis Fung, Wing Cheong Lau

Our research paper appears in IEEE S&P 2026 [14], with preliminary results presented at Black Hat USA 2024 [15] and 2025 [16].

References:
[1] https://cwe.mitre.org/data/definitions/384.html
[2] https://oauth.net/advisories/2009-1/
[3] https://danielfett.de/2025/03/10/cross-device-session-fixation/
[4] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-cross-device-security-16#section-4
[5] https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-14.2
[6] https://datatracker.ietf.org/doc/html/rfc9700

[7] https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.html
[8] https://aws.amazon.com/blogs/machine-learning/secure-ai-agents-with-amazon-bedrock-agentcore-identity-on-amazon-ecs/
[9] https://docs.arcade.dev/en/home/auth/secure-auth-production
[10] https://www.arcade.dev/blog/arcade-proactively-addressed-coat-vulnerability-in-agentic-ai/
[11] https://modelcontextprotocol.io/specification/2025-11-25/client/elicitation#phishing

[12] IETF 125 Presentation (Page 6-8): https://datatracker.ietf.org/meeting/125/materials/slides-125-oauth-updates-to-oauth-20-security-best-current-practice-00
[13] Internet-Draft (Section 2.3): https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-update-01#section-2.3

[14] Kaixuan Luo, Xianbo Wang, Pui Ho Adonis Fung, and Wing Cheong Lau, "Demystifying the (In)Security of OAuth-based Account Linking in Connector Ecosystems," in 2026 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2026, pp. 2327-2346. https://doi.ieeecomputersociety.org/10.1109/SP63933.2026.00128
[15] https://blackhat.com/us-24/briefings/schedule/index.html#one-hack-to-rule-them-all-pervasive-account-takeovers-in-integration-platforms-for-workflow-automation-virtual-voice-assistant-iot-38-llm-services-38994
[16] https://blackhat.com/us-25/briefings/schedule/index.html#back-to-the-future-hacking-and-securing-connection-based-oauth-architectures-in-agentic-ai-and-integration-platforms-44686