Closed TobiasAhnoff closed 3 days ago
Verifying that only access tokens are used for authorization (i.e. when used by a non malicious client) is not the same as verifying that only access tokens are usable for authorization (lack of token type confusion vulnerability). Should this requirement address only the former point or both?
Related or duplicate discussion https://github.com/OWASP/ASVS/issues/2005?
@randomstuff reading this once more I understand the difference in wording and my intention was usable, so I suggest a change to
Verify that only access tokens are usable for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3) or Verify that only access tokens can be used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)
@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?
@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?
Yes, no duplicates needed. Please carry all comments and information from here to the other one and close this one.
Well, let's keep this discussion in https://github.com/OWASP/ASVS/issues/2005#issuecomment-2350131524. Closed as duplicate.
The following verifications are suggested to be added for the Resource Server to the proposed new OIDC chapter (see #2037).
Resource Server
Verify that only access tokens are used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)