A relatively common OAuth and OpenID Connect implementation flaw is to allow arbitrary schemes for the redirect_uri parameter within the Auth.
Request. This enables CSRF-style credential disclosure attacks using custom URL schemes for native applications.
This simple demo application registers the URL scheme com.test.test:// and prompts received data on activation via Intent.
- Install Application (either from source or via the Play Store: https://play.google.com/store/apps/details?id=com.lauritz.oauthredirecturitest).
- Click the following link: com.test.test://example.com/callback?code=test#access_token=test2