client_id
, it's possible to test this misconfiguration by providing the authorization server with a fake URI. Depending on the server's HTTP response, misconfiguration is present.client_id
, it's possible to test this misconfiguration by abusing the open redirect vulnerability and providing the authorization server with a fake URI. Depending on the server's HTTP response, misconfiguration is present.referer
header could leak important information such as the authorization code, the state, or the access token.code_challenge
in the Authorization request, which means it's using PKCE to prevent some of the OAuth attacks.nonce
to prevents replay attacks.state
parameter is not used in the authentication request, a CSRF attack is possible.