review V51.4.2

[elarlang]

From the initial OAuth paragraph draft we have requirements:

#	Description	L1	L2	L3
51.4.2	[ADDED] Verify that access tokens are restricted to certain resource servers (audience restriction), preferably to a single resource server. Every resource server is obliged to verify, for every request, whether the access token sent with that request was meant to be used for that particular resource server. If not, the resource server must refuse to serve the respective request.	✓	✓	✓

Additionally to some formating improvements, we need to (re)validate the content, the need, the problem to solve and sections.

[elarlang]

We have also requirement 3.5.6:	#	Description	L1	L2	L3	CWE
3.5.6	[ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.	✓	✓	✓	287

Maybe we should cover it with spliting 3.5.6 to more precise requirements, as recommended in https://github.com/OWASP/ASVS/issues/1967#issuecomment-2351456688.

At the same time I don't want the message to be hidden, that aud in an access token points to resource server and aud in ID token points to client_id.

[randomstuff]

preferably to a single resource server.

FWIW, this condition is less important (sometimes) when using sender-constrained tokens.

[elarlang]

For direction:

Verify that the resource server validates the access token to be made for that resource server (audience) by checking the 'aud' claim from the access token to be an expected value.

Need to cover:

• reference token and introspection
• fix the last part - the aud need to contain expected value referencing to resource server