Hi All,
I don't want to be an alarmist, but I just thought I'd share a security concern that has been raised with certain OAuth 2.0 implementations.
While this will probably not effect many people, it's not in the code of the actual OAuth code, but more so in the implementation.
We have a snippet/code/extra called HybridAuth that uses the OAuth code base, and that's the reason I'm posting here.
So, I'm just posting these few links as a "by the way, you may wish to read", not as a HybridAuth is bad and shouldn't be used. In fact, quite to opposite. I'm happy using HybridAuth, however I just want to say to be careful in your implementation.
http://www.phpclasses.org/blog/package/7700/post/4-Is-Your-OAuth-20-Application-Secure.html
http://www.tetraph.com/blog/2014/05/covert-redirect-vulnerability-related-oauth-2-0-openid-covert-redirect-vulnerability-related-oauth-2-0-openid-%E4%B8%8E-oauth-2-0-openid-%E6%9C%89%E5%85%B3%E7%9A%84-covert-redirect/
Cheers,
Steve