Map all redirect URIs registered for the application - Test path manipulation, subdomain variations, and URL encoding tricks - Look for open redirect vulnerabilities on the redirect domain - Verify PKCE implementation for public clients - Test state parameter presence and validation