/authorizationwith a number of query parameters used specifically for OAuth. Make sure you look out for the
GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=token&scope=openid%20profile&state=ae13d489bd00e3c24 HTTP/1.1 Host: oauth-authorization-server.com
GETrequest to these standard endpoints:
POSTrequest, in order to be assigned a session cookie, essentially logging them in.
stateparameter of the OAuth request, is often users as a CSRF token for the client application.
stateparameter is not set, you can perform an attack similar to a traditional CSRF, where an attacker can initiate an OAuth flow themselves before tricking a user's browser into completing it.
/callbackendpoint specified in the
redirect_uriparameter of the authorization request. If the OAuth service fails to validate this URI properly, an attacker may be able to construct a CSRF-like attack, tricking the victim's browser into initiating an OAuth flow that will send the code or token to an attacker-controlled
redirect_uriparameter to understand how it is being validated.
redirect_uri, You may be able to change parameters within the URI structure itself.
/userinfoendpoint, manually adding a new
scopeparameter in the process.
key:valuepairs that represent information about the user on the resource server.
openidin the authorization request.
profile, email, address,
id_tokenresponse type. This returns a JSON web token (JWT) signed with a JSON web signature (JWS). The JWT payload contains a list of claims based on the scope that was initially requested. It also contains information about how and when the user was last authenticated by the OAuth service.
POSTrequest to a dedicated
/registrationendpoint. The name of this endpoint is usually provided in the configuration file and documentation.