ASVS Requirement 10.2.2

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.2 OAuth Client
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that, if the OAuth client can interact with more than one authorization server, it has a defense against mix-up attacks. For example, it could require that the authorization server return the 'iss' parameter value and validate it in the authorization response and the token response.