I just discussed this with ayoung and confirmed it is possible to perform the same type of escalation with the oauth contrib module. It would also be possible to use Oauth based tokens to create trusts that can escalate permissions.
Oauth -> Oauth
Trust -> Oauth
Oauth -> Trust
The immediate solution should be to prevent any form of chained delegation to occur from trusts or oauth (extending the new code to cover oauth scenarios).
I just discussed this with ayoung and confirmed it is possible to perform the same type of escalation with the oauth contrib module. It would also be possible to use Oauth based tokens to create trusts that can escalate permissions.
Oauth -> Oauth
Trust -> Oauth
Oauth -> Trust
The immediate solution should be to prevent any form of chained delegation to occur from trusts or oauth (extending the new code to cover oauth scenarios).