AS providing new nonce in authorization code grant should not consume authorization code #164
Comments
|
Yeah, the AS challenging with a new nonce would not count an authorization code as 'used'. And I believe you are quite correct that it's not mentioned in the spec. To be honest, it never even occurred to me to mention it because it seems fundamental. And a natural result of any implementation that doesn't go way out of the way to do something strange/unnecessary. |
|
I concur that this doesn't seem like something that needs to be spelled out. It is the natural expected behaviour. |
|
Brian apparently has more confidence in implementors than I generally do :-) It was my expectation too, but I was surprised at the seemingly opposite expectation being expressed pretty firmly in the first comment on the above oauth 2.1 issue (link in my first comment) - not in a dpop context, admittedly. |
Related to oauth-wg/oauth-v2-1#82
This "is the authorization code consumed on an unsuccessful token endpoint operation" question seems relevant to DPoP, if an otherwise successful authorization code grant is rejected due to the AS wanting to provide a new nonce, the authorization code should presumably not be counted as 'used'. I did a quick scan of the spec but couldn't see this mentioned, I wonder if this should be spelled out?
The text was updated successfully, but these errors were encountered: