#2028 - AS requires strong authentication and issues sender-contraine…

…d access tokens
OWASP · Oct 10, 2024 · 2c92cf7 · 2c92cf7
1 parent fad4829
commit 2c92cf7
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/5.0/en/0x51-V51-OAuth2.md b/5.0/en/0x51-V51-OAuth2.md
@@ -24,6 +24,8 @@ There are various different personas in the OAuth process, described in more det
 | **51.2.7** | [ADDED] Verify that confidential client is authenticated for client-to-authorized server backchannel requests such as token requests, PAR requests, token revocation requests, and token introspection requests. | ✓ | ✓ | ✓ |
 | **51.2.8** | [ADDED] Verify that the authorization server configuration only assigns the required scopes to the OAuth Client. | ✓ | ✓ | ✓ |
 | **51.2.9** | [ADDED] Verify that grant type 'code' is always used together with pushed authorization requests (PAR). | | | ✓ |
+| **51.2.10** | [ADDED] Verify that the client is confidential and the authorization server requires the use of strong client authentication methods, i. e. 'mTLS' or 'private-key-jwt'. | | | ✓ |
+| **51.2.11** | [ADDED] Verify that the authorization server issues only sender-constrained (Proof-of-Posession) access tokens, either using mTLS certificate binding or Demonstration of Proof of Possession (DPoP). | | | ✓ |
 
 ## V51.3 OAuth Client