First reminder to self:
OAuth is NOT an authentication protocol. It is an access delegation protocol.I hope this is clear to all the OAuth developers/implementators. Should you use OAuth for authenticate in your application/website you'd better be careful (specially if you use the client side flow aka implicit grant). If you wonder why give a look here and here.
- Risk: "access_token phishing" attack
- Mitigation: Use Open ID Connect or API like https://graph.facebook.com/app?access_token=YOUR_TOKEN
To be continued...
P.S. little off topic Apache Amber is now linked also from http://oauth.net/2/