OpenID Connect (OIDC) single sign-on mechanisms suffer from critical security vulnerabilities, resulting in substantial financial losses. This paper introduces AuthFix—the first automated repair engine targeting OIDC protocol interaction logic. AuthFix integrates three core components: (1) large language model (LLM)-driven fault localization, (2) formal modeling and model checking based on Petri nets, and (3) counterexample-guided patch synthesis—enabling end-to-end, semantics-aware repair. Evaluated on 23 real-world OIDC vulnerabilities, AuthFix successfully generates 17 correct patches semantically equivalent to manual fixes, achieving a 74% accuracy rate—significantly outperforming existing approaches. The framework delivers a verifiable, deployable, and protocol-level automation solution for securing identity authentication systems.

OpenID Connect has revolutionized online authentication based on single sign-on (SSO) by providing a secure and convenient method for accessing multiple services with a single set of credentials. Despite its widespread adoption, critical security bugs in OpenID Connect have resulted in significant financial losses and security breaches, highlighting the need for robust mitigation strategies. Automated program repair presents a promising solution for generating candidate patches for OpenID implementations. However, challenges such as domain-specific complexities and the necessity for precise fault localization and patch verification must be addressed. We propose AuthFix, a counterexample-guided repair engine leveraging LLMs for automated OpenID bug fixing. AuthFix integrates three key components: fault localization, patch synthesis, and patch verification. By employing a novel Petri-net-based model checker, AuthFix ensures the correctness of patches by effectively modeling interactions. Our evaluation on a dataset of OpenID bugs demonstrates that AuthFix successfully generated correct patches for 17 out of 23 bugs (74%), with a high proportion of patches semantically equivalent to developer-written fixes.