An attacker could try to eavesdrop transmission of the authorization 'code' between the authorization server and client. Furthermore, authorization 'codes' are passed via the browser, which may unintentionally leak those codes to untrusted web sites and attackers in different ways.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 220.127.116.11)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview