All interaction with the resource owner is performed by the client. Thus it might, intentionally or unintentionally, happen that the client obtains a token with scope unknown for, or unintended by, the resource owner. For example, the resource owner might think the client needs and acquires read-only access to its media storage only but the client tries to acquire an access token with full access permissions.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.4.3.2)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview