Comments (3)
@ziege can you please explain again a scenario where you would have more than one authorization code associated with a session. I can't understand the use case.
As a client I request an (i.e. one) authorization code (with specific scopes) which I then exchange for an access token (which the scopes are associated with if the exchange is successful).
Section 5.1.5.4 of the OAuth 2.0 Threat Model (http://tools.ietf.org/html/rfc6819#section-5.1.5.4) recommends that authorization codes should be removed after one use to prevent replay attacks. I don't then understand how you could have another authorization code associated with the same session as the client has completed it's goal of obtaining an access token.
from oauth2-server.
So I've just spoken to Mike Jones from Microsoft who is one of the authors of the OAuth 2 spec and is here at the same conference as me and he says that it is recommended that you revoke the authorization code to prevent replay attacks.
The reason this isn't explicit in the spec is because in some distributed environments (e.g. an authorization endpoint which is served from many different geographical locations) there might be a delay between an authorization code being removed in all databases.
Therefore I'm closing this issue as "won't fix" because developing a distributed platform is outside of the scope of this project.
from oauth2-server.
Sorry, didn't had the chance to answer earlier. You are right, you should only have one Auth Code and delete all previous ones - I think I mixed this with multiple Access Tokens.
from oauth2-server.
Related Issues (20)
- Google warning - Deceptive site ahead HOT 8
- Implict grant for OIDC not supported HOT 1
- Why setUserIdentifier, not setUser? HOT 9
- Test Refresh Token Fails on Google Home Test Suite HOT 2
- Possibility of using different encryptor for shortening auth code HOT 2
- Does anyone know if this library is vulnerable to this hack? HOT 1
- Support league/event v3 HOT 4
- League/Oauth2-Server Key Exposure In Exception Message HOT 2
- AccessTokenTrait::__toString gives different result each call HOT 1
- Wrong Type in DocBlock 3rd param `AbstractGrant::issueAccessToken` HOT 1
- AuthCodeGrant applies wrong validation rules on code_challenge HOT 4
- 2FA HOT 1
- Support for PHP 8.3 HOT 1
- Testing v9-rc1 on Laravel Passport HOT 13
- Authentication scheme should be matched case-insensitively HOT 1
- Oauth
- The `scope` parameter has been mistakenly required on device access token request HOT 2
- Compatibility on interfaces HOT 2
- Initial Configuration HOT 2
- client_credentials has empty sub, how to get user information? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-server.