ASVS Requirement 10.5.5

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.5 OIDC Client
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that, when using OIDC back-channel logout, the relying party mitigates denial of service through forced logout and cross-JWT confusion in the logout flow. The client must verify that the logout token is correctly typed with a value of 'logout+jwt', contains the 'event' claim with the correct member name, and does not contain a 'nonce' claim. Note that it is also recommended to have a short expiration (e.g., 2 minutes).