Google OAuth Client is vulnerable to improper authorization. Due to a flaw in implementation for Proof Key for Code Exchange (PKCE), the code sent by authorization server is not properly handled to authorize the client that issued the initial authorization request, allowing an attacker with a malicious application on the client-side to gain authorization to the protected resource.
github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
github.com/googleapis/google-oauth-java-client/issues/469
lists.apache.org/thread.html/r3db6ac73e0558d64f0b664f2fa4ef0a865e57c5de20f8321d3b48678@%3Ccommits.druid.apache.org%3E
lists.apache.org/thread.html/reae8909b264d1103f321b9ce1623c10c1ddc77dba9790247f2c0c90f@%3Ccommits.druid.apache.org%3E
tools.ietf.org/html/rfc7636%23section-1
tools.ietf.org/html/rfc8252%23section-8.1