During today's call, it was asked whether we should drop the OAuth 2.0 language
that:
The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code."
The rationale given was that enforcing one-time use is impractical in
distributed authorization server deployments.
Thinking about this some more, at most, we should relax this to:
The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server SHOULD deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code."
In short, it should remain illegal for the client to try to reuse the
authorization code. We can relax the MUST to SHOULD in the server requirements
in recognition of the difficulty of enforcing the MUST.
Code reuse is part of some attack scenarios. We must not sanction it.
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
