Just as with any application, security should be a top priority. This is especially true for applications that utilize the OAuth 2.0 protocol. In order to understand why this is true, let's remember what OAuth 2.0 actually does for us. Recall that, in the first chapter, we discussed how OAuth 2.0 provides us with federated identity as well as delegated authority. If we aren't diligent with our security practices during implementation, we can expose some very dangerous holes for attackers to exploit. And, when dealing with federated identity and delegated authority, we must be extra vigilant since these are very powerful practices that can provide attackers with a lot of power.
If an attacker were somehow able to exploit your application to game either of these concepts, they may be able to do the following:
Impersonate users
Impersonate client applications
Grant themselves otherwise unauthorized permissions
Gain access to protected data and resources
In order to combat this, we...