Slide 13
Slide 13 text
Improper implementation of the implicit
grant type
Once the OAuth provider sent the access_token to the client application, application has to maintain a session. To
achieve this, client application will often submit this data to the server in a POST request and then assign the user
a session cookie, effectively logging them in similar to traditional password-based login.
However, the server doesn’t have any secrets or password to compare with the data submitted by client
application, which means it is implicitly trusted.
What we can do??
In this situation, attacker can simply change the parameters sent to the server to impersonate any user as access
token is valid.