> Your site did not create the redirect URI that is being passed to Google / Twitter in your example.
Sorry, I don't understand this sentence.
The redirect URI is not normally passed to Google / FB / Instagram dynamically, but normally registered with Google / FB / Instagram once, when you set up an app with them (and get a secret key etc).
If someone else registered their own app with their own redirector, they wouldn't have my secret key.
Edit: removed Twitter, they use oAuth 1 which is strange / different / weird.
Not just a decent implementation; an implementation which meets the spec. This is not a problem with OAuth2, which explicitly requires registration of URIs where the implicit grant type is used, and covers other cases well in the Security Considerations section.
Sorry, I don't understand this sentence.
The redirect URI is not normally passed to Google / FB / Instagram dynamically, but normally registered with Google / FB / Instagram once, when you set up an app with them (and get a secret key etc).
If someone else registered their own app with their own redirector, they wouldn't have my secret key.
Edit: removed Twitter, they use oAuth 1 which is strange / different / weird.