PrOfESSOS Client Verifier


PrOfESSOS (Practical Offensive Evaluation of Single Sign-On Services) is an open source tool for fully automated Evaluation-as-a-Service of OpenID Connect clients. The tool has been developed for the research paper SoK: Single Sign-On Security – An Evaluation of OpenID Connect, EuroS&P 2017.

The source code of PrOfESSOS can be found at GitHub.

Prerequisite to use PrOfESSOS

As a safeguard to prevent illegitimate usage of the PrOfESSOS service, the RP operator must install a file named .professos at the root directory of the webserver (see Login-Site URL below) containing the base URL of the PrOfESSOS service (<PrOfESSOS-URI>). See for an example of such a file.

How to use the Demo Site?

  1. Click on the Load Demo Config button.
  2. Cick on the button Learn
  3. Cick on the button Run all Tests to complete Stage 3.


Test not run
Test passed
Test failed (Attack succeeded)
Test outcome undetermined

Stage 1: Setup - Client Parameters

OP Parameters

Test ID: not-loaded
Honest OP Identity: not-loaded
Evil OP Identity: not-loaded

Client Parameters

Stage 2: Configuration Evaluation

Learning Log NOT_RUN

Stage 3: Tests and Attacks