oauth/oidc - tokens only accessible for the components strictly needed,

#2038
OWASP · Sep 18, 2024 · 1560463 · 1560463
1 parent 8547e99
commit 1560463
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/5.0/en/0x51-V51-OAuth2.md b/5.0/en/0x51-V51-OAuth2.md
@@ -9,6 +9,7 @@ There are various different personas in the OAuth process, described in more det
 | # | Description | L1 | L2 | L3 |
 | :---: | :--- | :---: | :---: | :---: |
 | **51.1.1** | [ADDED] Verify that tokens (such as ID tokens, access tokens and refresh tokens) can only be used for their intended purpose. For example, ID tokens can only be used to prove user authentication for the client. | ✓ | ✓ | ✓ |
+| **51.1.2** | [ADDED] Verify that tokens are only sent to components that strictly need them. For example, avoid having access or refresh tokens accessible for the frontend when they are only needed by the backend. | ✓ | ✓ | ✓ |
 
 ## V51.2 OAuth Authorization Server