This is one of the attack cases listed in the report SoK: Single Sign-On Security – An Evaluation of OpenID Connect
In this attach, the Attacker OP forces the Client to send valid "code" issued by the Honest OP to the Attacker OP.
The attacker OP returns the same "client_id" during the registration as the one registered at the Honest OP. In other words, the Client has same client_id on both OPs. Execution.
Step 1: Attacker starts an authentication on the Client with the Honest OP. It caches the received "state" and "nonce" parameters sent to the Authentication Request.
Step 2: Attacker starts an authentication on the Client with the Malicious OP.
Step 3: Malicious OP receives the Authentication Request and responds with a HTTP 302 Redirect to the Honest OP. The redirect URL contains the same parameters received in the Authentication Request except the "nonce" parameter, which is replaced by the value from Step 1.
Result Evaluation. The attack is successful if the Malicious OP receives the "code" generated by the Honest OP in the Token Request.