You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This "is the authorization code consumed on an unsuccessful token endpoint operation" question seems relevant to DPoP, if an otherwise successful authorization code grant is rejected due to the AS wanting to provide a new nonce, the authorization code should presumably not be counted as 'used'. I did a quick scan of the spec but couldn't see this mentioned, I wonder if this should be spelled out?
The text was updated successfully, but these errors were encountered:
Yeah, the AS challenging with a new nonce would not count an authorization code as 'used'. And I believe you are quite correct that it's not mentioned in the spec. To be honest, it never even occurred to me to mention it because it seems fundamental. And a natural result of any implementation that doesn't go way out of the way to do something strange/unnecessary.
Brian apparently has more confidence in implementors than I generally do :-)
It was my expectation too, but I was surprised at the seemingly opposite expectation being expressed pretty firmly in the first comment on the above oauth 2.1 issue (link in my first comment) - not in a dpop context, admittedly.
Related to oauth-wg/oauth-v2-1#82
This "is the authorization code consumed on an unsuccessful token endpoint operation" question seems relevant to DPoP, if an otherwise successful authorization code grant is rejected due to the AS wanting to provide a new nonce, the authorization code should presumably not be counted as 'used'. I did a quick scan of the spec but couldn't see this mentioned, I wonder if this should be spelled out?
The text was updated successfully, but these errors were encountered: