From e28f303736ad72fa12572376203e5efee8769e13 Mon Sep 17 00:00:00 2001
From: Elar Lang <47597707+elarlang@users.noreply.github.com>
Date: Tue, 10 Dec 2024 19:54:13 +0200
Subject: [PATCH 1/2] #2183 - rs enforce authorisation decisions

---
 5.0/en/0x51-V51-OAuth2.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/5.0/en/0x51-V51-OAuth2.md b/5.0/en/0x51-V51-OAuth2.md
index b36f5d3d2a..1e43267e8d 100644
--- a/5.0/en/0x51-V51-OAuth2.md
+++ b/5.0/en/0x51-V51-OAuth2.md
@@ -32,7 +32,7 @@ Given the complexity of the area, it is vitally important for a secure OAuth or
 | :---: | :--- | :---: | :---: | :---: |
 | **51.3.1** | [ADDED] Verify that the resource server prevents the use of stolen access tokens or replay of access tokens (from unauthorized parties) by requiring sender-constrained access tokens, either Mutual TLS for OAuth 2 or OAuth 2 Demonstration of Proof of Possession (DPoP). | | | ✓ |
 | **51.3.2** | [ADDED] Verify that the resource server only accepts access tokens that are intended for use with that service (audience). The audience may be included in a structured access token (such as the 'aud' claim in JWT) or it can be checked using the token introspection endpoint. | ✓ | ✓ | ✓ |
-| **51.3.3** | [ADDED] Verify that access tokens are restricted to certain resources and actions on resource servers or resources. Every Resource Server is obliged to verify, for every request, whether the access token sent with that request was meant to be used for that particular action on the particular resource. If not, the resource server must refuse to serve the respective request. | ✓ | ✓ | ✓ |
+| **51.3.3** | [ADDED] Verify that the resource server enforces authorization decisions based on claims from the access token that defines delegated authorization. If present, claims such as 'sub', 'scope', and 'authorization_details' should be part of the decision. | ✓ | ✓ | ✓ |
 | **51.3.4** | [ADDED] Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims. | ✓ | ✓ | ✓ |
 
 ## V51.4 OAuth Authorization Server

From 6a7ebb569961f7c3550daa69ee565c29fb55e3b5 Mon Sep 17 00:00:00 2001
From: Josh Grossman <tghosth@users.noreply.github.com>
Date: Tue, 10 Dec 2024 20:49:38 +0200
Subject: [PATCH 2/2] Grammar tweaks

---
 5.0/en/0x51-V51-OAuth2.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/5.0/en/0x51-V51-OAuth2.md b/5.0/en/0x51-V51-OAuth2.md
index 1e43267e8d..c75282fd64 100644
--- a/5.0/en/0x51-V51-OAuth2.md
+++ b/5.0/en/0x51-V51-OAuth2.md
@@ -32,7 +32,7 @@ Given the complexity of the area, it is vitally important for a secure OAuth or
 | :---: | :--- | :---: | :---: | :---: |
 | **51.3.1** | [ADDED] Verify that the resource server prevents the use of stolen access tokens or replay of access tokens (from unauthorized parties) by requiring sender-constrained access tokens, either Mutual TLS for OAuth 2 or OAuth 2 Demonstration of Proof of Possession (DPoP). | | | ✓ |
 | **51.3.2** | [ADDED] Verify that the resource server only accepts access tokens that are intended for use with that service (audience). The audience may be included in a structured access token (such as the 'aud' claim in JWT) or it can be checked using the token introspection endpoint. | ✓ | ✓ | ✓ |
-| **51.3.3** | [ADDED] Verify that the resource server enforces authorization decisions based on claims from the access token that defines delegated authorization. If present, claims such as 'sub', 'scope', and 'authorization_details' should be part of the decision. | ✓ | ✓ | ✓ |
+| **51.3.3** | [ADDED] Verify that the resource server enforces authorization decisions based on claims from the access token that define delegated authorization. If claims such as 'sub', 'scope', and 'authorization_details' are present, they should be part of the decision. | ✓ | ✓ | ✓ |
 | **51.3.4** | [ADDED] Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims. | ✓ | ✓ | ✓ |
 
 ## V51.4 OAuth Authorization Server