ASVS Requirement 10.3.2

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.3 OAuth Resource Server
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the resource server enforces authorization decisions based on claims from the access token that define delegated authorization. If claims such as 'sub', 'scope', and 'authorization_details' are present, they must be part of the decision.