• One of the most common mistakes is to use OAuth as an authentication protocol without taking any extra precautions
• One of the worst results of a security breach to an OAuth client is to leak the resource owner’s authorization codes or access tokens through sloppy implementation of the OAuth protocol.
• "state" parameter ⇒
  • An opaque value used by the client to maintain state between the request and callback.
  • The authorization server includes this value when redirecting the user-agent back to the client.
  • The parameter SHOULD be used for preventing cross-site request forgery (CSRF)

<aside> 💡 CSRF occurs when a malicious application causes the user’s browser to perform an unwanted action through a request to a web site where the user is currently authenticated

</aside>

The main thing to keep in mind is that browsers make requests (with cookies) to any origin, allowing specific actions to be performed when requested

If a user is logged in to one site that offers the capability to execute some sort of task and an attacker tricks the user’s browser into making a request to one of these task URIs, then the task is performed as the logged-in user

An attacker will embed malicious HTML or JavaScript code into an email or website to request a specific task URI that executes without the user’s knowledge