redirect_uri manipulation, state CSRF, token in Referer, scope escalation, PKCE bypass
