Single Sign-On

In multi-tenant or SSO scenarios, client applications often fail to verify that authorization data (email, user profile) actually comes from the OAuth server configured for that user's account. A malicious OAuth server can return forged credentials, enabling account takeover.