ASVS Requirement 10.5.1

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.5 OIDC Client
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the client (as the relying party) mitigates ID Token replay attacks. For example, by ensuring that the 'nonce' claim in the ID Token matches the 'nonce' value sent in the authentication request to the OpenID Provider (in OAuth2 refereed to as the authorization request sent to the authorization server).