MCP security risk: Confused deputy - OAuth Tutorial

- That gets us to the confused deputy problem. This is actually a name of a specific type of security incident that can happen when you have these OAuth loop things happening. The confused deputy simplified is during the OAuth back and forth loop where the user is authorized, a malicious actor can inject themselves by intercepting different URLs and sending the wrong URL to the client and then pick up the key so that instead of the client accessing the authorization server to get the token, a third party can pick up that key and then go to the authorization server and get the token and then gain access to the system as the original user. So this happens after the human being has clicked on a button or authorized themselves into the system. The worst part about this is when this happens to you, the user, it looks like something went wrong in the authorization, and you just go do the authorization again. Meanwhile, someone else may have gained access to your account to do things. And…