Which attack targets OAuth 2.0 by intercepting the authorization code in the redirect URI to obtain access tokens?