Submit

Login Login

Register Register

Home/ Journals/ CMC/ Vol.88, No.1, 2026/ 10.32604/cmc.2026.079484

Table of Content

Open Access iconOpen Access

ARTICLE

Unveiling Authentication Forgery in OpenID Connect under Web Frameworks: A Formal Analysis of CSRF-Based Attack Paths

Xingyun Hu1,2, Siqi Lu1,2,*, Liujia Cai1,2, Ye Feng1,2, Shuhao Gu1,2, Tao Hu1, Yongjuan Wang1,2,*

1 Information Engineering University, Zhengzhou, China
2 Henan Key Laboratory of Network Cryptography Technology, Zhengzhou, China

* Corresponding Authors: Siqi Lu. Email: email; Yongjuan Wang. Email: email

(This article belongs to the Special Issue: Cyberspace Mapping and Anti-Mapping Techniques)

Computers, Materials & Continua 2026, 88(1), 24 https://doi.org/10.32604/cmc.2026.079484

Received 22 January 2026; Accepted 23 February 2026; Issue published 08 May 2026

Abstract

With the widespread adoption of web applications and cloud services, the OAuth 2.0-based OpenID Connect (OIDC) Single Sign-on (SSO) protocol has become the core of modern digital identity authentication. Although the OIDC protocol itself has strict security specifications, its implementation in real-world web frameworks can introduce critical vulnerabilities, particularly the improper omission of the state parameter, which leads to severe authentication forgery risks. Existing research often overlooks these implementation-level flaws, especially from a formal analysis perspective. This paper addresses this gap by formally analyzing the authentication forgery attack resulting from the missing state parameter. We construct a high-fidelity web framework model and, using the Tamarin formal analysis tool, systematically analyze the flawed OIDC implementation. Specifically, we demonstrate an attack path where cross-site request forgery is leveraged as a vector to deceive the relying party, ultimately achieving identity binding forgery—linking the attacker’s identity to the victim’s session. In response to this forgery vulnerability, this article proposes and formally verifies corresponding patches to successfully defend against such attacks. Finally, this paper provides concrete guidance for developers. This research, through formal methods, characterizes a replicable authentication forgery pattern within modern web architectures, providing a robust theoretical and practical foundation for hardening SSO systems against such advanced forgery threats.

Keywords

SSO; authentication forgery; formal analysis; web security vulnerabilities

Cite This Article

APA Style
Hu, X., Lu, S., Cai, L., Feng, Y., Gu, S. et al. (2026). Unveiling Authentication Forgery in OpenID Connect under Web Frameworks: A Formal Analysis of CSRF-Based Attack Paths. Computers, Materials & Continua, 88(1), 24. https://doi.org/10.32604/cmc.2026.079484
Vancouver Style
Hu X, Lu S, Cai L, Feng Y, Gu S, Hu T, et al. Unveiling Authentication Forgery in OpenID Connect under Web Frameworks: A Formal Analysis of CSRF-Based Attack Paths. Comput Mater Contin. 2026;88(1):24. https://doi.org/10.32604/cmc.2026.079484
IEEE Style
X. Hu et al., “Unveiling Authentication Forgery in OpenID Connect under Web Frameworks: A Formal Analysis of CSRF-Based Attack Paths,” Comput. Mater. Contin., vol. 88, no. 1, pp. 24, 2026. https://doi.org/10.32604/cmc.2026.079484
BibTex EndNote RIS



cc Copyright © 2026 The Author(s). Published by Tech Science Press.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

  • 530

    View

  • 217

    Download

  • 0

    Like

Related articles

Copyright© 2026 Tech Science Press
© 1997-2026 TSP (Henderson, USA) unless otherwise stated

Share Link