ASVS Requirement 10.2.1

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.2 OAuth Client
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that, if the code flow is used, the OAuth client has protection against browser-based request forgery attacks, commonly known as cross-site request forgery (CSRF), which trigger token requests, either by using proof key for code exchange (PKCE) functionality or checking the 'state' parameter that was sent in the authorization request.