Comment on page
Redirect to a controlled domain to get the access token.
OAuth implementations should never whitelist entire domains, only a few URLs so that "redirect_uri" can’t be pointed to an Open Redirect.
Sometimes you need to change the scope to an invalid one to bypass a filter on redirect_uri:
Some Android/iOS app can be decompiled and the OAuth Private key can be accessed.
Applications that do not check for a valid CSRF token in the OAuth callback are vulnerable. This can be exploited by initializing the OAuth flow and intercepting the callback (
https://example.com/callback?code=AUTHORIZATION_CODE). This URL can be used in CSRF attacks.