it looks like when a user obtains a token - they can then pass a courses array to the script and triggeer a manual enrolment into any course they want - I haven't had a good look at the workflow here, but if this happens within the browser session it looks like it presents a security risk.
https://github.com/Oomaxpro/moodle-auth_cognito/blob/oomaxpro/index.php#L40
it looks like when a user obtains a token - they can then pass a courses array to the script and triggeer a manual enrolment into any course they want - I haven't had a good look at the workflow here, but if this happens within the browser session it looks like it presents a security risk.