All vulnerabilities
HighA07:2021CWE-601Authentication

OAuth2 Security Misconfigurations

OAuth2 misconfigurations — open redirect_uri, missing PKCE, implicit flow, exposed client secrets — allow attackers to steal authorization codes and access tokens, leading to full account takeover without knowing the victim's password.

What Is an OAuth2 Security Misconfiguration?

OAuth2 is the industry standard for delegated authorization — it lets users grant third-party apps access to their accounts without sharing passwords. When misconfigured, the protocol itself becomes the attack vector, enabling attackers to steal tokens and take over accounts.

AI-generated apps frequently implement OAuth2 incorrectly because the protocol has many subtle security requirements that LLMs often omit or implement in the unsafe legacy way.

Common Misconfigurations

1. Open redirect_uri

The redirect_uri is where the authorization server sends the user's auth code after login. If it's not strictly validated:

https://accounts.google.com/o/oauth2/auth?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://attacker.com/steal&  ← attacker-controlled
  response_type=code&
  scope=openid email

The victim clicks a link, logs in legitimately, and their auth code is sent to attacker.com. The attacker exchanges it for tokens and takes over the account.

2. Missing PKCE (Proof Key for Code Exchange)

Public clients (SPAs, mobile apps) without PKCE are vulnerable to authorization code interception:

# Vulnerable — no code_challenge
GET /authorize?response_type=code&client_id=...&redirect_uri=...

# Secure — with PKCE
GET /authorize?response_type=code&client_id=...&redirect_uri=...
  &code_challenge=BASE64URL(SHA256(verifier))
  &code_challenge_method=S256

Without PKCE, a malicious app on the same device can intercept the auth code and exchange it for tokens.

3. Implicit Flow (Deprecated)

// Dangerous — response_type=token sends access_token in URL fragment
const authUrl = `${authEndpoint}?response_type=token&...`

Tokens in URLs leak via browser history, server logs, Referer headers, and analytics tools. The implicit flow was deprecated in OAuth 2.1.

4. Missing state Parameter

GET /authorize?response_type=code&client_id=...
# Missing &state=RANDOM_VALUE

Without state, the app is vulnerable to CSRF — an attacker can trick a user into linking the attacker's account to the victim's profile (account linking attacks).

5. Client Secret in Frontend Code

// Found in bundle.js — catastrophic
const CLIENT_SECRET = "client_secret_abc123xyz"

Confidential OAuth client secrets must never appear in browser JavaScript. Anyone can extract them and impersonate the app to the authorization server.

Real-World Impact

  • Full account takeover — steal auth codes → exchange for tokens → access account
  • Account linking attack — link victim's account to attacker's social identity
  • Privilege escalation — obtain tokens with broader scopes than intended
  • Session persistence — long-lived refresh tokens give permanent access

How to Fix

Always use Authorization Code Flow + PKCE:

// Generate PKCE verifier and challenge
const verifier = crypto.randomBytes(32).toString('base64url')
const challenge = crypto.createHash('sha256').update(verifier).digest('base64url')
 
// Store verifier, send challenge
sessionStorage.setItem('pkce_verifier', verifier)
 
const authUrl = new URL(authEndpoint)
authUrl.searchParams.set('code_challenge', challenge)
authUrl.searchParams.set('code_challenge_method', 'S256')

Strictly validate redirect_uri server-side:

ALLOWED_REDIRECT_URIS = {"https://myapp.com/callback"}
 
def authorize(redirect_uri: str):
    if redirect_uri not in ALLOWED_REDIRECT_URIS:
        raise HTTPException(400, "Invalid redirect_uri")

Always include and verify state:

const state = crypto.randomUUID()
sessionStorage.setItem('oauth_state', state)
// On callback: verify state matches before exchanging code

Keep client secrets server-side only — use a backend proxy for token exchange.

What VibeWShield Detects

VibeWShield's OAuth2 Security scanner detects:

  • Implicit Flowresponse_type=token in JS source
  • Missing PKCE — authorization code flow without code_challenge
  • Client secret in JS — regex scan of all fetched bundles
  • Open redirect_uri — tests if attacker-controlled URIs are accepted
  • Missing state — OAuth flows without CSRF protection
  • Token in URL — access tokens in discovered URLs (leaked via logs/history)

Findings range from Medium (missing state) to Critical (open redirect_uri + client secret).

#oauth2#authentication#pkce#implicit-flow#account-takeover

Free security scan

Test your app for OAuth2 Security Misconfigurations

VibeWShield automatically checks for OAuth2 Security Misconfigurations and 40+ other vulnerabilities using 63 scanners — in under 3 minutes, no signup required.

Scan your app free