What is OAuth Login?

From the OAuth 2.0 Threat Model and Security Considerations :

4.4.1.13. Threat: replacing code (logging into OAuth)

An attacker may try to log into an application or website using the victim’s identifier. Identity-based applications provided by the secure OAuth API for logging in are vulnerable to this threat. This template can be found in the so-called "social login" scripts.

As a prerequisite, the resource server offers an API for receiving personal information about the user, which can be interpreted as receiving a user ID. In this sense, the client is considering the resource API as the "identity" API. The client uses OAuth to obtain an access token for the authentication API. This then requests the identity API for the identifier and uses it to search (internal user account). The client claims that since he was able to obtain information about the user, the user was authenticated.

If the client uses the type “type” of the grant type, the attacker needs to collect a valid authorization code of the corresponding victim from the same identification provider that is used by the target client application. an attacker tricks a victim into entering a malicious application (which may appear to be legitimate for an Identity Provider) using the same identity provider as the target application. This leads to the identity provider authorization server issuing code authorization for the corresponding authentication API. The malicious application then sends this code to the attacker, who, in turn, starts the login process in the target application. Now the attacker manipulates the authorization and replaces their code (associated with their identity) for the victim’s code. This code is then exchanged by the client for the access token, which, in turn, is accepted by the identity of the API, since the audience related to the resource server is correct. But since the identifier returned by the identification API is determined by the identifier in the access token (issued on the basis of the victim’s code), the attacker registers with the victim’s identity in the target application.

Impact: An attacker gains access to the application and to specific users of data in the application

Countermeasures:

• All clients must indicate their client identifier with each request to exchange an authorization code for an access token. The authorization server should check if the authorization code was issued to a specific client. If possible, the client must authenticate in advance.

• Clients must use the appropriate protocol, such as OpenID (see [openid]) or SAML (see [OASIS.sstc-saml-bindings-1.1]), in order to implement the user login. Both support audience restrictions on customers.

This confuses me quite a bit: “an attacker needs to collect a valid authorization code for the corresponding victim from the same identity provider used by the target client application.” What does “appropriate victim” mean and what does “identity provider” mean for this and subsequent purposes?

The entire description of the attack is unclear. I realized that “you cannot use OAuth 2.0 to implement user sign-in,” but does that not mean that major platforms such as Facebook are vulnerable? And vulnerable to what exactly?

I probably only need to clarify some of the terms used in this section.