51.1.1 wording improvement

[elarlang]

#	Description	L1	L2	L3
51.1.1	[ADDED] Verify that tokens are only sent to components that strictly need them. For example, avoid having access or refresh tokens accessible for the frontend when they are only needed by the backend.	✓	✓	✓

Needs some language change to avoid the word avoid (as it is a command for the user, not requirement for an application).

edit: maybe we should list examples for access token, refresh token and ID-token?

[TobiasAhnoff]

Perhaps remove "avoid" and have something like this?

Verify that tokens are only sent to components that strictly need them. For example, access and refresh tokens should only be accessible for the backend (using a backend-for-frontend pattern for browser-based JavaScript applications).

or

Verify that tokens are only sent to components that strictly need them. For example, it is recommended to only have access and refresh tokens accessible for the backend (using a backend-for-frontend pattern for browser-based JavaScript applications).

[elarlang]

We need to avoid "should" and "recommended" in the requirements. The word "requirement" itself says it is "required" - MUST have as specified in https://datatracker.ietf.org/doc/html/rfc2119#section-1

[TobiasAhnoff]

Then maybe this?

Verify that tokens are only sent to trusted components that strictly need them. For example, when using a backend-for-frontend pattern for browser-based JavaScript applications, access and refresh tokens shall only be accessible for the backend.

[elarlang]

Seems good, ping @randomstuff

[randomstuff]

OK for me.

[elarlang]

@TobiasAhnoff - please do the PR

[elarlang]

Probably did not read it carefully enough before PR, but I don't like too much the word trusted here. I think the point for this requirement is not to define what the trusted component is and that is why it is not good to use the word at all.

[TobiasAhnoff]

Ok, I agree, the word trusted need some context, I will update the PR