ASVS Requirement 9.2.2

• Level: 2
• Chapter: V9 Self-contained Tokens
• Section: V9.2 Token content
• Source: 0x18-V9-Self-contained-Tokens.md

Description

Verify that the service receiving a token validates the token to be the correct type and is meant for the intended purpose before accepting the token's contents. For example, only access tokens can be accepted for authorization decisions and only ID Tokens can be used for proving user authentication.