Expected Findings
- `redirect_uri` is matched exactly against the client's registered URI.
- `state` is required and verified on callback.
- `code_verifier` is required at the token endpoint.
Clean Reference
ref-oauth (Clean Reference)
Reference OAuth flow with exact-match redirect_uri, required state, and enforced PKCE. Any finding here is a false positive.
Reference probe
Primary Flows
- Authorize (rejects evil) 400 on unknown redirect
- Token (rejects without verifier) POST without code_verifier
- Client metadata Shows allow-list
Signals
Allow-list
clients["mobile"].redirect_uris == ["https://app.example.com/cb"] // exact match
Notes
- This scenario is a true-negative control. Scanners flagging it are producing false positives.