Emmanuel GautierThe answer was in the OAuth spec itself. To avoid Clickjacking attack, the OAuth flow should be avoided in an iframe.
RFC 6749: The OAuth 2.0 Authorization Framework
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]
The question remains for Paypal. Payment form sounds critical as well and could be victims of the same Clickjacking attack type, no?
If anyone knows, curious to understand how @paypaldev manages this threat type with Paypal iframes.