Web Client

Standard OAuth Flows

Flow 1: Client 1 Flow 2: Client 1 Flow 3: Client 1 Flow 4: Client 1

Standard OpenID Connect Flows

Flow 1: Client 1 Flow 2: Client 1 Flow 3: Client 1 Flow 4: Client 1

Flow 1: Client 2

Advanced OpenID Connect Flows

PKCE

Web Attacks

Bypass Consent Page Server-side XSS

Clickjacking 1 Clickjacking 2 Clickjacking 3 Clickjacking 4

Open Redirects

Open Redirect 1 Open Redirect 2

Open Redirect 3 Open Redirect 4

Replay Attacks

Code Reuse 1

Code Reuse 2

Client Impersonation

Client Impersonation 1

Client Impersonation 2

Web Attacks

Cross-Site Request Forgery 1 Cross-Site Request Forgery 2

Covert Redirect

Replay Attacks

Replay Attack 1 Replay Attack 2

Replay Attack 3 Replay Attack 4

ID Token: Wrong Recipient

Wrong Recipient 1

Wrong Recipient 2

ID Token: Signature Bypasses

Signature Bypass 1 Signature Bypass 2 Signature Bypass 3

Signature Bypass 4 Signature Bypass 5 Signature Bypass 6

ID Token: ID Spoofing

ID Spoofing 1

ID Spoofing 2

Cross-Phase Attacks

Malicious Endpoints IdP Confusion Mix-Up Attack

Challenges

Steal the tokens via Covert Redirect 1 Steal the tokens via Covert Redirect 2

Steal the tokens via XSS on the SP

Advanced Verification

Nothing here yet. Come back later.