Open elarlang opened 1 day ago
We have also requirement 3.5.6: | # | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|---|
3.5.6 | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. | ✓ | ✓ | ✓ | 287 |
Maybe we should cover it with spliting 3.5.6 to more precise requirements, as recommended in https://github.com/OWASP/ASVS/issues/1967#issuecomment-2351456688.
At the same time I don't want the message to be hidden, that aud
in an access token points to resource server and aud
in ID token points to client_id.
preferably to a single resource server.
FWIW, this condition is less important (sometimes) when using sender-constrained tokens.
For direction:
Verify that the resource server validates the access token to be made for that resource server (audience) by checking the 'aud' claim from the access token to be an expected value.
Need to cover:
From the initial OAuth paragraph draft we have requirements:
Additionally to some formating improvements, we need to (re)validate the content, the need, the problem to solve and sections.