An attacker could use the end-user authorization endpoint and the redirect URI parameter to abuse the authorization server as an open redirector. An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without any validation. An attacker could utilize a user's trust in an authorization server to launch a phishing attack.
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.11.2)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview