[Openid-specs-ab] Issue #1057: OIDCC appears to override single-use nature of auth code in RFC6749 (openid/connect)
Joseph Heenan
issues-reply at bitbucket.org
Sun Nov 4 15:20:59 UTC 2018
New issue 1057: OIDCC appears to override single-use nature of auth code in RFC6749
https://bitbucket.org/openid/connect/issues/1057/oidcc-appears-to-override-single-use
Joseph Heenan:
https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation says:
> If possible, verify that the Authorization Code has not been previously used.
However https://tools.ietf.org/html/rfc6749#section-10.5 says:
> Authorization codes MUST be short lived and single-use.
My reading of this is that OAuth2 requires that authorisation codes are single use, and OIDCC is weakening this requirement. My understanding is the OIDCC should generally extend OAuth2 and should not conflict with the underlying RFCs. (I had a search for previous discussion on this point but failed to find any. The certification suite seems to have a test called OP-OAuth-2nd which I think requires the authorisation codes are single use, but I'm not 100% sure).
I think for consistency the 'if possible' should be removed from OIDCC and replaced with a 'MUST'.
More information about the Openid-specs-ab
mailing list