-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for multiple auth codes per session #46
Comments
@ziege can you please explain again a scenario where you would have more than one authorization code associated with a session. I can't understand the use case. As a client I request an (i.e. one) authorization code (with specific scopes) which I then exchange for an access token (which the scopes are associated with if the exchange is successful). Section 5.1.5.4 of the OAuth 2.0 Threat Model (http://tools.ietf.org/html/rfc6819#section-5.1.5.4) recommends that authorization codes should be removed after one use to prevent replay attacks. I don't then understand how you could have another authorization code associated with the same session as the client has completed it's goal of obtaining an access token. |
So I've just spoken to Mike Jones from Microsoft who is one of the authors of the OAuth 2 spec and is here at the same conference as me and he says that it is recommended that you revoke the authorization code to prevent replay attacks. The reason this isn't explicit in the spec is because in some distributed environments (e.g. an authorization endpoint which is served from many different geographical locations) there might be a delay between an authorization code being removed in all databases. Therefore I'm closing this issue as "won't fix" because developing a distributed platform is outside of the scope of this project. |
Sorry, didn't had the chance to answer earlier. You are right, you should only have one Auth Code and delete all previous ones - I think I mixed this with multiple Access Tokens. |
As discussed in point 7 in #41
The text was updated successfully, but these errors were encountered: