[vertex-four]

The point is that large OAuth2 providers have open redirects themselves at the authorization endpoint, by not requiring all clients to register their redirection URIs. This directly violates the spec, as per section 3.1.2.2, and is further warned against in section 10.15.

In combination with the implicit flow, this means that an attacker can create ask the provider to authorize any client to access their data, but actually send the access token to the attacker's URL.

The interesting thing is... if providers actually followed all MUSTs and SHOULDs, this would not be a problem. The providers explicitly decided to allow this variety of problem to happen.