Using [0] as a reference, I'm talking about Step 3. This is, in my experience, the "normal" way that people are setting up OAuth between 2 services, with a user going through the flow.
[1] includes info on this (see "flawed CSRF protection")
Aha! That makes sense! Yes that can be a problem. We exclusively use a single (our own) IdP so it's less important for us. But good to know as some future feature work will actually make this important.
[1] includes info on this (see "flawed CSRF protection")
[0]: https://www.digitalocean.com/community/tutorials/an-introduc...
[1] https://portswigger.net/web-security/oauth