SAMMY works best on screens 1024px wide or larger.
ASVS
Browse ASVS
V10.7: Consent Management
V10.7.1
V10.7.1: Verify that the authorization server ensures that the user consents to each authorization request. If the identity of the client cannot be assured, the authorization server must always explicitly prompt the user for consent.

Verify that the authorization server ensures that the user consents to each authorization request. If the identity of the client cannot be assured, the authorization server must always explicitly prompt the user for consent.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that the authorization server ensures that the user consents to each authorization request. If the identity of the client cannot be assured, the authorization server must always explicitly prompt the user for consent.

V10.7.2
V10.7.2: Verify that when the authorization server prompts for user consent, it presents sufficient and clear information about what is being consented to. When applicable, this should include the nature of the requested authorizations (typically based on scope, resource server, Rich Authorization Requests (RAR) authorization details), the identity of the authorized application, and the lifetime of these authorizations.

Verify that when the authorization server prompts for user consent, it presents sufficient and clear information about what is being consented to. When applicable, this should include the nature of the requested authorizations (typically based on scope, resource server, Rich Authorization Requests (RAR) authorization details), the identity of the authorized application, and the lifetime of these authorizations.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that when the authorization server prompts for user consent, it presents sufficient and clear information about what is being consented to. When applicable, this should include the nature of the requested authorizations (typically based on scope, resource server, Rich Authorization Requests (RAR) authorization details), the identity of the authorized application, and the lifetime of these authorizations.

V10.7.3
V10.7.3: Verify that the user can review, modify, and revoke consents which the user has granted through the authorization server.

Verify that the user can review, modify, and revoke consents which the user has granted through the authorization server.

ASVS Maturity
Not applicable - The control is not applicable for the given scope.
Not implemented / not verified - The control is not implemented or not verified.
Limited implementation - The control is implemented for the most critical parts of the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Systematic implementation - The control is systematically implemented and pervasive in the codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Full implementation - The control is fully implemented for the complete codebase. It is verified either manually (internally or externally) or automatically (using test cases or security automation tooling).
Description

Verify that the user can review, modify, and revoke consents which the user has granted through the authorization server.