In the implicit grant, a URL like client.example/redirection_endpoint#access_token=abcdef may end up in the browser history as a result of a redirect from a provider's authorization endpoint.
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.3.2)
This threat has no countermeasures that can be used to mitigate it. The only way to protect against it is by making sure that the prerequisites are not met(e.g., by disabling certain authorization grants or deprecated features).
Back to the threat overview