An attacker could utilize a correctly registered redirect URI to perform phishing attacks. The authorization server SHOULD only automatically redirect the user agent if it trusts the redirect URI. If the URI is not trusted, the authorization server MAY inform the user and rely on the user to make the correct decision.
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.17)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview