The code is tied to the client, and is single use. In principal over time a server may generate the same code more than once, The code is the only way a Authorization server has to differentiate between instances of clients.
If you were to have two instances of a client with the same code value at the same time that is likely to go very wrong. So their must never be two code issued within the same validity window. (That is why they are single use with a short lifetime like 5 min) You will say what if they are issued to two different client ID, Assuming they are confidential clients that might be possible but is still a horrible idea don't do it! John B. On 2012-09-01, at 5:39 PM, Bilal Ashraf <[email protected]> wrote: > Hi, > > In Authorization code flow, after resource owner authentication and approval, > the application is provided with an authorization code in response by > authorization server. The authorization code is basically the resource owner > authorization to the application for resource owner data access. That means > authorization code is bound to the application. > > Is it possible that for two resource owner authentication, same authorization > code is returned in response? e.g. > > Resource owner 1 : Authenticate successfully -> Approval -> authorization > code = 123 issued > Resource owner 2 : Authenticate successfully -> Approval -> authorization > code = 123 issued > > Regards, > Bilal Ashraf > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
