My personal favorite is a provider that opted to have a separate endpoint for refesh tokens rather than following the spec and using the token endpoint with a refesh token grant type.
I'm not privy to GP's use case, but the "non-standard" part you nodded at makes it far more likely they "rolled their own crypto" and thus the landscape of vulns or leaks introduced by the "how hard can it be" crew is vast. That's not even including the similar, although smaller, risk pushed down upon the consumers since they are also now have to eject from the vetted libraries to interact and start doing their own fun //FIXME hacks
diggan|1 year ago
mdaniel|1 year ago