ASVS Requirement 9.2.4

• Level: 2
• Chapter: V9 Self-contained Tokens
• Section: V9.2 Token content
• Source: 0x18-V9-Self-contained-Tokens.md

Description

Verify that, if a token issuer uses the same private key for issuing tokens to different audiences, the issued tokens contain an audience restriction that uniquely identifies the intended audiences. This will prevent a token from being reused with an unintended audience. If the audience identifier is dynamically provisioned, the token issuer must validate these audiences in order to make sure that they do not result in audience impersonation.