Same as with the implicit grant vulnerability for Implicit Flow. However in this instance it is the Authorization Code which is leaked instead of Access Token.
Mitigation @ OAuth2 provider:
- In cases where the app is stateful (cookies, HTTP session etc.), the redirect_uri can point to a headless resource that is dedicated to exchanging authorization codes for access tokens. This drastically reduces the chances of XSS vulnerability at that URL
- Recommend to the application admin that they use a dedicated resource as above
- Implement PKCE which expects a valid code_challenge for the token exchange
- Implement [REQ013 Support for Native Apps - [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE)|https://docs.google.com/document/d/1BYd_nCWRUOB5JW-YzlPtCKNXBq85drAWftZv-BNrfxg/edit#heading=h.9n0vdo1bmc2x]
- For this to be effective for SPA clients …