Malicious Client Obtains Existing Authorization by Fraud

Authorization servers may wish to automatically process authorization requests from clients that have been previously authorized by the user. When the user is redirected to the authorization server's end-user authorization endpoint to grant access, the authorization server detects that the user has already granted access to that particular client. Instead of prompting the user for approval, the authorization server automatically redirects the user back to the client. A malicious client may exploit that feature and try to obtain such an authorization 'code' instead of the legitimate client.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.2.3)


This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.

Back to the threat overview