ASVS Requirement 10.3.3

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.3 OAuth Resource Server
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that cannot be reassigned to other users. Typically, it means using a combination of 'iss' and 'sub' claims.