TL;DR

  • OAuth is about delegated access, not authentication by itself.
  • Most bugs come from redirect URI, token validation, and scope handling.
  • Always validate state, nonce, aud, iss, and exp.

Core Roles

  • Resource Owner: end user
  • Client: application requesting access
  • Authorization Server: issues tokens
  • Resource Server: API that consumes tokens
  • User Agent: browser or device

Common Flows

  • Authorization Code (standard for web apps)
  • Authorization Code + PKCE (public clients)
  • Client Credentials (machine-to-machine)
  • Device Flow (TV/IoT)
  • Implicit (legacy, avoid in new apps)

Common Vulnerabilities

  • Weak redirect_uri validation (open redirect/token leakage)
  • Missing or weak state (CSRF)
  • Token confusion (accepting a token for the wrong client)
  • Mutable claims (e.g. email used as account key)
  • Overbroad scopes and missing scope checks
  • Broken account linking / federation fallbacks

Quick Test Checklist

  • Validate redirect_uri with strict allowlists.
  • Verify state and nonce on return.
  • Check aud, iss, exp, and signature for tokens.
  • Ensure scopes are enforced server-side.
  • Test for account linking or IdP bypasses.

References

  • Doyensec: https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html
  • OAuth 2.0: https://datatracker.ietf.org/doc/html/rfc6749
  • PKCE: https://datatracker.ietf.org/doc/html/rfc7636