In Web Server applications, Google uses the "Web application" type of application to use - see:
https://developers.google.com/identity/protocols/OAuth2WebServer
But during testing, this allows the end user to change the response_type in the URL to which the user is sent from the "code" to the "token", which then allows them to receive the access token directly at the end of the authentication stream.
Some other API providers provide a mechanism on the OAuth application configuration screen to completely disable this authorization flow, which seems reasonable.
Did I miss something?
source
share