Isn't it better for it to be worded as we want it to be, with the implication being that of course it might be difficult to do that, but that AS devs will think long and hard about sometimes not denying the request? Even with MUST, some AS will still allow reuse of auth codes. Isn't that better than flat out saying: *sure, there's a valid reason*
In other words, how do we think about RFCs? Do they exist to be followed to the letter or not at all? Or do they exist to stipulate this is the way, but acknowledge that not everyone will build a solution that holds them as law. Let's look at *SHOULD* > This word, or the adjective "RECOMMENDED", mean that there may exist valid > reasons in particular circumstances to ignore a particular item, but the > full implications must be understood and carefully weighed before choosing > a different course. I think *recommended* here is not sufficient nor are there valid reasons. "It's too hard" isn't really a valid reason. Isn't it better in this case for an AS to not be compliant with the RFC, than it is to relax this to SHOULD and have lots of AS thinking reusing auth codes is a viable solution, "because they are a special snowflake where SHOULD should apply". Are we setting the standard or instead attempting to sustain a number of "AS that are in compliance with the RFC"? Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Wed, Oct 13, 2021 at 7:17 PM Mike Jones <Michael.Jones= 40microsoft....@dmarc.ietf.org> wrote: > During today’s call, it was asked whether we should drop the OAuth 2.0 > language that: > > The client MUST NOT use the authorization code > > more than once. If an authorization code is used more than > > once, the authorization server MUST deny the request and SHOULD > > revoke (when possible) all tokens previously issued based on > > that authorization code.” > > > > The rationale given was that enforcing one-time use is impractical in > distributed authorization server deployments. > > > > Thinking about this some more, at most, we should relax this to: > > The client MUST NOT use the authorization code > > more than once. If an authorization code is used more than > > once, the authorization server SHOULD deny the request and SHOULD > > revoke (when possible) all tokens previously issued based on > > that authorization code.” > > > > In short, it should remain illegal for the client to try to reuse the > authorization code. We can relax the MUST to SHOULD in the server > requirements in recognition of the difficulty of enforcing the MUST. > > > > Code reuse is part of some attack scenarios. We must not sanction it. > > > > -- Mike > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
