From 4a3c452672939ef55941d03f54a77a0f09de5765 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Tue, 19 Nov 2024 14:32:30 +0200 Subject: [PATCH] #2363 - tokens, check audience --- 5.0/en/0x12-V3-Session-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/5.0/en/0x12-V3-Session-management.md b/5.0/en/0x12-V3-Session-management.md index 2608459b17..9ddc5aa52e 100644 --- a/5.0/en/0x12-V3-Session-management.md +++ b/5.0/en/0x12-V3-Session-management.md @@ -84,6 +84,7 @@ Token-based session management includes JWT, OAuth, SAML, and API keys. Of these | **3.5.5** | [ADDED] Verify that only algorithms on an allowlist can be used to create and verify cryptographically secured tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion. | ✓ | ✓ | ✓ | 757 | | **3.5.6** | [ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience. | ✓ | ✓ | ✓ | 287 | | **3.5.7** | [ADDED] Verify that key material that is used to validate cryptographically secured tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources. | ✓ | ✓ | ✓ | | +| **3.5.8** | [ADDED] Verify that the service receiving a token validates the token to be intended for the service (audience) before accepting the token's contents. For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service. | ✓ | ✓ | ✓ | | ## V3.6 Federated Re-authentication