How do you test OAuth 2.0 and JWT-based authentication flows for security weaknesses?

OAuth 2.0 attack vectors for QA:

State parameter: the state parameter prevents CSRF on the OAuth callback. Test: initiate the OAuth flow, capture the callback URL, replay it without the state parameter or with a modified state. The server must reject the callback.

Redirect URI validation: if the authorisation server accepts arbitrary redirect_uri values, an attacker can redirect the auth code to their own server. Test: modify the redirect_uri in the auth request to an unauthorised domain. The server must return an error, not redirect to the attacker's URI.

Authorisation code reuse: authorisation codes must be single-use. Test: capture a code from the callback, exchange it for tokens (normal), then attempt to exchange the same code again. The second exchange must fail.

JWT attack vectors for QA:

Algorithm confusion (alg:none): some JWT libraries accept alg: "none" in the header, bypassing signature verification. Test: decode a valid JWT, modify the header to { "alg": "none" }, remove the signature, and present it to a protected endpoint. It must be rejected.

Payload tampering: decode a valid JWT, modify the payload (e.g. change "role": "user" to "role": "admin"), re-encode without resigning, and present it. The signature is now invalid — the server must reject it.

Expiry enforcement: capture a valid token. Wait for it to expire (or modify the exp claim in a test environment). Present the expired token to a protected endpoint. It must return 401.

Scope enforcement: if your OAuth tokens include scope claims, test that a token with read scope cannot call write endpoints.