I Found 5 Security Bugs in My OAuth2 Provider on My First Try (With an MCP Security Tool)

I built Autentico , a self-contained OAuth 2.0 / OpenID Connect identity provider in Go. I took spec compliance seriously. Every code path is annotated with the RFC section it implements, I passed the OpenID Foundation conformance suite, and I ran OWASP ZAP scans against it. I thought I was in good shape. Then I connected go-appsec/toolbox to Claude Code, browsed my app for ten minutes, and found five vulnerabilities (including a HIGH severity issue) on my very first session with the tool. I had almost no prior experience with security testing. Here's how that happened. The foundation: RFC annotations and conformance testing When I built Autentico, I wanted to do things by the book. Every return path, every validation check, every error response references the exact spec section that mandates it: // RFC 7009 §2.1: "The authorization server first validates the client // credentials (in case of a confidential client)." authenticatedClient , err := client . AuthenticateClientFromRequest (