ASVS Requirement 10.5.3

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.5 OIDC Client
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the client rejects attempts by a malicious authorization server to impersonate another authorization server through authorization server metadata. The client must reject authorization server metadata if the issuer URL in the authorization server metadata does not exactly match the pre-configured issuer URL expected by the client.