ASVS Requirement 10.3.5

• Level: 3
• Chapter: V10 OAuth and OIDC
• Section: V10.3 OAuth Resource Server
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the resource server prevents the use of stolen access tokens or replay of access tokens (from unauthorized parties) by requiring sender-constrained access tokens, either Mutual TLS for OAuth 2 or OAuth 2 Demonstration of Proof of Possession (DPoP).