Good implementations make use of state and nonce parameters to prevent attacks e.g. state parameter used to tie it to the browser (prevent CSRF attack):
User visits OAuth application (signed out)
Application sets secure cookie with a state value (cookies are set to the Apps host)
Application redirects to Visma Connect IdP with state parameter in the Authorize-request
User logs in with Visma Connect IdP
Visma Connect IdP redirects back to Application via pre-registered OAuth redirectURI
Application validates OAuth state, comparing cookie value to state value from Visma Connect IdP callback
Application approves or rejects OAuth callback