...
Note well: The application developer should must scope-check all identifiers asserted by untrusted 3rd parties. This is especially true if the identifier is used for access control. Failure to do so may lead to gaping security holes like the one reported in Office 365.
...