Gabriel Corona

"before processing further" is somewhat vague/ambiguous.

> **Verify that the token is an access token** intended for the service (API). For JWTs this can be achieved by validating the claims 'aud' and 'typ'. If audience is...

> V13.?? Access tokens What quite worries me is that ~~some~~ most of these requirements are actually valid for a wide range of token outside of access tokens. If we...

> Verify that access tokens are cryptographically secure, either by using a digital signature or MAC to protect against tampering. If validation fails, the token must be rejected. (see https://github.com/OWASP/ASVS/issues/2184)...

> directly OIDC should be used without OAuth overhead I'm not sure I understand what you mean by that. OIDC is a layer on top of OAuth so …

> Do we need a separate requirement to check issuer from the token claim or is it or will be covered by something else? We have the requirement in the...

> it would probably make more sense to document which flows are legacy due to their insecure nature rather than state all of the accepted flows Yes, it would. Especially...

> Example of usage: id_token exchange for external MFA between 2 IdPs Why would you not want to use the authorization code with PKCE in this case?

> V3.5.5 Verify that only signing algorithms on an allowlist are allowed for a stateless token. Should we verify as well that in a given context either MAC or public-key...

Yes, it would probably be good to open an issue about 3.5.3 specifically.