Expected Findings
- `redirect_uri` is not matched against a registered allow-list.
- `state` parameter is optional and never verified on callback.
- PKCE (`code_challenge`) is accepted but never enforced.
OAuth2 Provider
OAuth Redirect
The authorize endpoint accepts any redirect_uri and skips state and PKCE checks, making it trivial to siphon access codes to an attacker domain.
Login flow
Trigger consent
Primary Flows
- Authorize Issues a code to any URL
- Token Exchanges code without PKCE check
- Client metadata Public client, no secret rotation
Signals
Validation
// TODO: validate redirect_uri later
Location: ${redirect_uri}?code=${code}