[Openid-specs-fapi] Issue #397: query over certification test for access tokens being revoked when authorization codes are reused (openid/fapi)

josephheenan issues-reply at bitbucket.org
Fri Mar 26 16:40:02 UTC 2021


New issue 397: query over certification test for access tokens being revoked when authorization codes are reused
https://bitbucket.org/openid/fapi/issues/397/query-over-certification-test-for-access

Joseph Heenan:

The FAPI certification tests contains a test that tries to reuse an authorization code \(which must be rejected\) and then checks if the originally issued access token is revoked or not, and raises a warning if it is not revoked.  
  
This comes from  [https://tools.ietf.org/html/rfc6749#section-4.1.2](https://tools.ietf.org/html/rfc6749#section-4.1.2) :

```
If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. 
```

It’s only a warning so doesn’t prevent certification, but this check generates a number of questions and worries. Significant numbers of implementations don’t revoke the access token, in particular \(but not limited to\) the ones using JWT-style access tokens.

I think it’s worth question whether this check has any real value - given the use of sender constrained tokens, secure client authentication, no public clients, etc, I’m not sure there’s any security issue here and hence we might as well drop this check and give people some happiness, but it would be useful to get opinions from the working group’s security experts.




More information about the Openid-specs-fapi mailing list