Closed TobiasAhnoff closed 3 days ago
randomstuff
commented
2 weeks ago Verifying that only access tokens are used for authorization (i.e. when used by a non malicious client) is not the same as verifying that only access tokens are usable for authorization (lack of token type confusion vulnerability). Should this requirement address only the former point or both?
elarlang
commented
2 weeks ago Related or duplicate discussion https://github.com/OWASP/ASVS/issues/2005?
TobiasAhnoff
commented
1 week ago @randomstuff reading this once more I understand the difference in wording and my intention was usable, so I suggest a change to
Verify that only access tokens are usable for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3) or Verify that only access tokens can be used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)
@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?
elarlang
commented
1 week ago @elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around?
Yes, no duplicates needed. Please carry all comments and information from here to the other one and close this one.
elarlang
commented
3 days ago Well, let's keep this discussion in https://github.com/OWASP/ASVS/issues/2005#issuecomment-2350131524. Closed as duplicate.
The following verifications are suggested to be added for the Resource Server to the proposed new OIDC chapter (see #2037).
Resource Server
Verify that only access tokens are used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)