aaronpk
aaronpk
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
|
Embed
Progress spinner
aaronpk@aaronparecki.com
aaronpk@aaronparecki.com

tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)

PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post

|
Embed
Progress spinner