OAuth2 implicit flow – is it still possible to hijack the token with HTTPS?
The video from Okta says that it’s possible to hijack the access token when on public wifi. But if HTTPS is used, the headers are encrypted. And therefore the Location returned by the Auth Server won’t be visible to the attacker.
Replay at… Continue reading OAuth2 implicit flow – is it still possible to hijack the token with HTTPS?