I was reviewing 3.6.2. Client Requests Access Token<http://tools.ietf.org/id/draft-ietf-oauth-v2-05.html#anchor18>and it occurred to me that there's no requirement in the spec (that I can find) that a given callback URI and verification code can only be exchanged for access and refresh tokens at most once. Should the verification code include an encoded nonce from the auth server so that it is only usable once?
I seem to recall one of the social engineering attacks in OAuth 1.0 was mitigated by ensuring that the user authorization could only be redeemed for an access token once. Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
