[Openid-specs-ab] Issue #1057: OIDCC appears to override single-use nature of auth code in RFC6749 (openid/connect)

Joseph Heenan issues-reply at bitbucket.org
Sun Nov 4 15:20:59 UTC 2018


New issue 1057: OIDCC appears to override single-use nature of auth code in RFC6749
https://bitbucket.org/openid/connect/issues/1057/oidcc-appears-to-override-single-use

Joseph Heenan:

https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation says:

> If possible, verify that the Authorization Code has not been previously used.

However https://tools.ietf.org/html/rfc6749#section-10.5 says:

> Authorization codes MUST be short lived and single-use.


My reading of this is that OAuth2 requires that authorisation codes are single use, and OIDCC is weakening this requirement. My understanding is the OIDCC should generally extend OAuth2 and should not conflict with the underlying RFCs. (I had a search for previous discussion on this point but failed to find any. The certification suite seems to have a test called OP-OAuth-2nd which I think requires the authorisation codes are single use, but I'm not 100% sure).

I think for consistency the 'if possible' should be removed from OIDCC and replaced with a 'MUST'.




More information about the Openid-specs-ab mailing list