ASVS Requirement 10.1.2

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.1 Generic OAuth and OIDC Security
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the client only accepts values from the authorization server (such as the authorization code or ID Token) if these values result from an authorization flow that was initiated by the same user agent session and transaction. This requires that client-generated secrets, such as the proof key for code exchange (PKCE) 'code_verifier', 'state' or OIDC 'nonce', are not guessable, are specific to the transaction, and are securely bound to both the client and the user agent session in which the transaction was started.