An attacker might attempt to inject a request to the redirect URI of the legitimate client on the victim's device, e.g., to cause the client to access resources under the attacker's control. This is a variant of an attack known as Cross-Site Request Forgery (CSRF).
OAuth 2.0 Security Best Current Practice (draft 25) (SecBCP, section 4.7)
This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.
Back to the threat overview