[mitreid-connect] Second use of AuthorizationCode should revoke previous access token issued?

[Misagh Moayyed]

It appears that if an authorization code is used once to generate an access token, the code is then consumed and removed from the database and then the token is generated. If a subsequent request attempts to use the code again, an error is correctly returned back explaining that that the code cannot be found. So far, so good. 

The issue and my question is: should the previously issued access token also be invalidated/expired/removed when the same code is exercised again? Presently, the access token remains valid and can be used by the userinfo endpoint.  

I am asking this, since the openid conformance tests have a test where they require an error to be returned from the userinfo endpoint in cases where the code is submitted twice. (The expectation there is that access tokens issued via that code should also become invalid) 

-- 
Misagh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160210/6310795d/attachment.html