provider sent the access_token to the client application, application has to maintain a session. To achieve this, client application will often submit this data to the server in a POST request and then assign the user a session cookie, effectively logging them in similar to traditional password-based login. However, the server doesn’t have any secrets or password to compare with the data submitted by client application, which means it is implicitly trusted. What we can do?? In this situation, attacker can simply change the parameters sent to the server to impersonate any user as access token is valid.