Post-Quantum Cryptography for Web Authentication Protocols: A Systematic Review of OAuth 2.0, OpenID Connect, and SAML Migration

Abstract

OAuth 2.0, OpenID Connect (OIDC), and SAML rely on classical public-key primitives such as RSA and ECDSA, which are vulnerable to quantum attacks via Shor's algorithm. This systematic review examines migration of these protocols to Post-Quantum Cryptography (PQC) following the 2024 NIST standardization of ML-DSA and ML-KEM. We map cryptographic dependencies across all three protocols, evaluate NIST-standardized algorithms for authentication use cases, and analyze practical migration challenges. Token size explosion, with ML-DSA-65 signatures approximately 52 times larger than ECDSA P-256, represents the dominant implementation barrier, compounded by incomplete JOSE standardization and limited ecosystem maturity. Missing formal security proofs and federation migration frameworks are identified as critical priorities before production deployment.