I was going to post this last week but thought it wasn’t important enough. After reading the “New Auth Flow” RFC and saw it reference OAuth I figured I’d share it for informational purposes.
EDIT:Comment at the bottom stated:This is no oauth vulnerability,any body that had to deal with oauth implicit flow implementation server side know that he has to validate the user id sent by the client.
Any thing sent from the client should never be trusted
So I’ll just leave it here for the members of this forum to judge.
PLEASE TELL ME TO DELETE THIS IF IT’S INCORRECT!