A focused checklist for finding OAuth and OIDC integration bugs, the kind that let attackers hijack login flows or bind their identity to someone else's account. It walks through redirect URI validation holes, missing or broken state and nonce checks, PKCE enforcement gaps, and token audience mismatches. The triage is practical: map the full flow, replay callbacks with tampered parameters, compare how web versus mobile clients validate the same flow. If you're auditing anything with "Login with Google" buttons or seeing authorize endpoints in traffic, this gives you a methodical way to catch the configuration mistakes that still ship in production despite OAuth being around for over a decade.
npx skills add https://github.com/yaklang/hack-skills --skill oauth-oidc-misconfiguration