[Openid-specs-fapi] Issue #538: Lifetime of authorization codes (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Aug 24 14:48:04 UTC 2022
New issue 538: Lifetime of authorization codes
https://bitbucket.org/openid/fapi/issues/538/lifetime-of-authorization-codes
Joseph Heenan:
As per discussion under [https://bitbucket.org/openid/fapi/issues/534/authorization-request-leaks-lead-to-csrf#comment-64002704](https://bitbucket.org/openid/fapi/issues/534/authorization-request-leaks-lead-to-csrf#comment-64002704) - long lived authorization codes can make this attack easier.
The only guidance we’re aware of on authorization code lifetimes is RFC 6749, 4.1.2:
> A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
Discussion on today’s call indicated that shorter lifetimes are more usual these days, with lifetimes of one minute being mentioned as in use in various vendor default configurations.
There doesn’t seem to be anything in [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) either, so we should raise this with the OAuth WG as well.
More information about the Openid-specs-fapi
mailing list