mechanisms has been implemented and used to val-
idate their functionality, demonstrating how an IdP
using OpenID Connect can easily guarantee GDPR
compliance (no change in the current specifications is
required and standard technologies and mechanisms
can be used), following the principles of lawfulness,
fairness, security, transparency and accountability.
REFERENCES
Asghar, M. R., Backes, M., and Simeonovski, M. (2016).
PRIMA: privacy-preserving identity and access man-
agement at internet-scale. CoRR, abs/1612.01787.
http://arxiv.org/abs/1612.01787.
Bodnar, L., Merkle Westphall, C., Werener, J., and West-
phall, C. (2016). Towards privacy in identity manage-
ment dynamic federations. In ICN 2016 : The Fif-
teenth International Conference on Networks.
Farzaneh Karegar, Nina Gerber, M. V. and Fischer-H
¨
ubner,
S. (2018). Helping john to make informed decisions
on using social login. In Proceedings of the 33rd An-
nual ACM Symposium on Applied Computing, page
1165–1174.
Fett, D., K
¨
usters, R., and Schmitz, G. (2015). SPRESSO:
A secure, privacy-respecting single sign-on
system for the web. CoRR, abs/1508.01719.
http://arxiv.org/abs/1508.01719.
Fett, D., K
¨
usters, R., and Schmitz, G. (2017). The web SSO
standard OpenID Connect: In-depth formal security
analysis and security guidelines. In 2017 IEEE 30th
Computer Security Foundations Symposium (CSF),
pages 189–202. IEEE.
Foundation, O. (2020). OpenID Connect back-channel
logout 1.0. https://openid.net/specs/openid-connect-
backchannel-1 0.txt.
Halpin, H. (2017). NEXTLEAP: decentralizing identity
with privacy for secure messaging. In Proceedings of
the 12th International Conference on Availability, Re-
liability and Security, Reggio Calabria, Italy, August
29 - September 01, 2017, pages 92:1–92:10. ACM.
Hammann, S., Sasse, R., and Basin, D. (2020). Privacy-
preserving OpenID Connect. In Proceedings of the
15th ACM Asia Conference on Computer and Com-
munications Security, page 277–289. Association for
Computing Machinery.
Internet Engineering Task Force (IETF) (2012).
The OAuth 2.0 authorization framework.
https://tools.ietf.org/html/rfc6749.
Isaakidis, M., Halpin, H., and Danezis, G. (2016). Unlim-
itID: Privacy-preserving federated identity manage-
ment using algebraic MACs. In Proceedings of the
2016 ACM on Workshop on Privacy in the Electronic
Society, pages 139–142.
Kantara Initiative (2018). Consent receipt spec-
ification 1.1.0. https://kantarainitiative.org/file-
downloads/consent-receipt-specification-v1-1-0/.
Li, W. and Mitchell, C. J. (2020). User access privacy in
OAuth 2.0 and openID Connect. In 2020 IEEE Euro-
pean Symposium on Security and Privacy Workshops
(EuroS PW), pages 664–6732.
Li, W., Mitchell, C. J., and Chen, T. (2019). OAu-
thGuard: Protecting user security and privacy with
OAuth 2.0 and OpenID Connect. In Proceedings of
the 5th ACM Workshop on Security Standardisation
Research Workshop, SSR’19, page 35–44. Associa-
tion for Computing Machinery.
Mainka, C., Mladenov, V., Schwenk, J., and Wich, T.
(2017). Sok: single sign-on security—an evaluation
of OpenID Connect. In 2017 IEEE European Sympo-
sium on Security and Privacy (EuroS&P), pages 251–
266. IEEE.
Moey, L. K., Katuk, N., and Omar, M. H. (2016). Social lo-
gin privacy alert: Does it improve privacy awareness
of Facebook users. In 2016 IEEE Symposium on Com-
puter Applications & Industrial Electronics (ISCAIE),
pages 95–100.
Navas, J. and Beltr
´
an, M. (2019). Understanding and mit-
igating OpenID Connect threats. Computers & Secu-
rity, 84:1–16.
OASIS Security Services (SAML) Technical Committe
(2005). SAML v2.0 standard. https://wiki.oasis-
open.org/security/FrontPage#SAML V2.0 Standard.
OpenID Foundation (2014). OpenID Connect.
https://openid.net/connect/.
Parliament, E. and Council, T. (2016). Regulation
(eu) 2016/679 on the protection of natural persons
with regard to the processing of personal data and
on the free movement of such data. https://eur-
lex.europa.eu/eli/reg/2016/679/oj.
Robles-Gonz
´
alez, A., Parra-Arnau, J., and Forn
´
e, J. (2020).
A LINDDUN-based framework for privacy threat
analysis on identification and authentication pro-
cesses. Computers & Security, page 101755.
Scott, C., Wynne, D., and Boonthum-Denecke, C. (2016).
Examining the privacy of login credentials using web-
based single sign-on-are we giving up security and
privacy for convenience. In 2016 Cybersecurity Sym-
posium (CYBERSEC), pages 74–79. IEEE.
Villarreal, M., Villarreal, S., Merkle Westphall, C., and
Werner, J. (2017). Privacy token: A mechanism for
user’s privacy specification in identity management
systems for the cloud.
Protecting End User’s Privacy When using Social Login through GDPR Compliance
435