Allow for multiple auth codes per session

[alexbilbie]

As discussed in point 7 in #41

[alexbilbie]

@ziege can you please explain again a scenario where you would have more than one authorization code associated with a session. I can't understand the use case.

As a client I request an (i.e. one) authorization code (with specific scopes) which I then exchange for an access token (which the scopes are associated with if the exchange is successful).

Section 5.1.5.4 of the OAuth 2.0 Threat Model (http://tools.ietf.org/html/rfc6819#section-5.1.5.4) recommends that authorization codes should be removed after one use to prevent replay attacks. I don't then understand how you could have another authorization code associated with the same session as the client has completed it's goal of obtaining an access token.

[alexbilbie]

So I've just spoken to Mike Jones from Microsoft who is one of the authors of the OAuth 2 spec and is here at the same conference as me and he says that it is recommended that you revoke the authorization code to prevent replay attacks.

The reason this isn't explicit in the spec is because in some distributed environments (e.g. an authorization endpoint which is served from many different geographical locations) there might be a delay between an authorization code being removed in all databases.

Therefore I'm closing this issue as "won't fix" because developing a distributed platform is outside of the scope of this project.

[cziegenberg]

Sorry, didn't had the chance to answer earlier. You are right, you should only have one Auth Code and delete all previous ones - I think I mixed this with multiple Access Tokens.