Back to Details

oauth-oidc-misconfiguration

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: OAuth and OIDC Misconfiguration — Redirects, PKCE, Scopes, and Token Binding

SKILL: OAuth与OIDC配置错误 —— 重定向、PKCE、Scopes与Token绑定

AI LOAD INSTRUCTION: Use this skill when the target uses OAuth 2.0 or OpenID Connect and you need a focused misconfiguration checklist: redirect URI validation, state and nonce handling, PKCE enforcement, token audience, and account binding mistakes.
AI加载说明:当目标使用OAuth 2.0或OpenID Connect,你需要一份针对性的配置错误检查清单时使用本技能:重定向URI校验、state与nonce处理、PKCE强制校验、token受众、以及账号绑定错误相关场景。

1. WHEN TO LOAD THIS SKILL

1. 何时加载本技能

Load when:
  • The app supports 
    Login with Google
    , GitHub, Microsoft, Okta, or other IdPs
  • You see 
    authorize
    , 
    callback
    , 
    redirect_uri
    , 
    code
    , 
    state
    , 
    nonce
    , or 
    code_challenge
  • Mobile or SPA clients rely on OAuth or OIDC flows
For token cryptography and JWT header abuse, also load:
  • jwt oauth token attacks
加载场景:
  • 应用支持「使用Google登录」、GitHub、Microsoft、Okta或其他IdP登录
  • 你观察到
    authorize
    callback
    redirect_uri
    code
    state
    nonce
    code_challenge
    等参数
  • 移动端或SPA客户端依赖OAuth或OIDC认证流程
若需测试token密码学与JWT头滥用相关内容,请同时加载:
  • jwt oauth token attacks

2. HIGH-VALUE MISCONFIGURATION CHECKS

2. 高价值配置错误检查项

ThemeWhat to Check
state
handling		missing, static, predictable, or not bound to user session
redirect_uri
validation		prefix match, open redirect chaining, path confusion, localhost leftovers
PKCEmissing for public clients, code verifier not enforced, downgraded flow
OIDC 
nonce
missing or not validated on ID token return
token audience and issuerweak 
aud
/ 
iss
checks, cross-client token reuse
account bindingcallback binds attacker identity to victim session
scope handlingbroader scopes granted than the user or client should receive
主题检查内容
state
处理		缺失、静态值、可预测,或者未与用户会话绑定
redirect_uri
校验		前缀匹配、开放重定向链、路径混淆、本地测试地址残留
PKCE公开客户端缺失PKCE校验、未强制校验code verifier、流程降级
OIDC 
nonce
缺失,或者ID token返回时未校验nonce
token受众与签发者
aud
/ 
iss
校验宽松、跨客户端token复用
账号绑定回调将攻击者身份绑定到受害者会话
scope处理授予的scope超出用户或客户端应得的权限范围

3. QUICK TRIAGE

3. 快速排查

  1. Map the full flow: authorize, callback, token exchange, logout.
  2. Replay callback flows with altered 
    state
    , 
    nonce
    , and 
    redirect_uri
    .
  3. Compare SPA, mobile, and web clients for weaker validation.
  4. Check whether one provider account can be rebound to another local account.
  1. 梳理完整流程:授权、回调、token交换、登出。
  2. 使用修改后的
    state
    nonce
    redirect_uri
    重放回调流程。
  3. 对比SPA、移动端、网页端客户端的校验严格度,查找更宽松的实现。
  4. 检查是否可以将一个第三方提供商账号重新绑定到另一个本地账号。

4. RELATED ROUTES

4. 相关技能

  • CORS or cross-origin token exposure: cors cross origin misconfiguration
  • XML federation or enterprise SSO: saml sso assertion attacks
  • CSRF-heavy login or binding bugs: csrf cross site request forgery
  • CORS或跨域token泄露:cors cross origin misconfiguration
  • XML联邦或企业SSO:saml sso assertion attacks
  • 登录或绑定逻辑的CSRF漏洞:csrf cross site request forgery