ASVS Requirement 10.6.1

• Level: 2
• Chapter: V10 OAuth and OIDC
• Section: V10.6 OpenID Provider
• Source: 0x19-V10-OAuth-and-OIDC.md

Description

Verify that the OpenID Provider only allows values 'code', 'ciba', 'id_token', or 'id_token code' for response mode. Note that 'code' is preferred over 'id_token code' (the OIDC Hybrid flow), and 'token' (any Implicit flow) must not be used.