ASVS Requirement 10.4.6

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.4 OAuth Authorization Server
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that, if the code grant is used, the authorization server mitigates authorization code interception attacks by requiring proof key for code exchange (PKCE). For authorization requests, the authorization server must require a valid 'code_challenge' value and must not accept a 'code_challenge_method' value of 'plain'. For a token request, it must require validation of the 'code_verifier' parameter.