[Openid-specs-ab] Issue #1057: OIDCC appears to override single-use nature of auth code in RFC6749 (openid/connect)
issues-reply at bitbucket.org
Sun Nov 4 15:20:59 UTC 2018
New issue 1057: OIDCC appears to override single-use nature of auth code in RFC6749
> If possible, verify that the Authorization Code has not been previously used.
However https://tools.ietf.org/html/rfc6749#section-10.5 says:
> Authorization codes MUST be short lived and single-use.
My reading of this is that OAuth2 requires that authorisation codes are single use, and OIDCC is weakening this requirement. My understanding is the OIDCC should generally extend OAuth2 and should not conflict with the underlying RFCs. (I had a search for previous discussion on this point but failed to find any. The certification suite seems to have a test called OP-OAuth-2nd which I think requires the authorisation codes are single use, but I'm not 100% sure).
I think for consistency the 'if possible' should be removed from OIDCC and replaced with a 'MUST'.
More information about the Openid-specs-ab