<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><div id="bloop_customfont" style="margin: 0px;">It appears that if an authorization code is used once to generate an access token, the code is then consumed and removed from the database and then the token is generated. If a subsequent request attempts to use the code again, an error is correctly returned back explaining that that the code cannot be found. So far, so good. </div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;">The issue and my question is: should the previously issued access token also be invalidated/expired/removed when the same code is exercised again? Presently, the access token remains valid and can be used by the userinfo endpoint. </div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;">I am asking this, since the openid conformance tests have a test where they require an error to be returned from the userinfo endpoint in cases where the code is submitted twice. (The expectation there is that access tokens issued via that code should also become invalid) </div></div><div class="bloop_container"><div class="bloop_frame"> </div></div><br><div id="bloop_sign_1455111921922362112" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">-- <br>Misagh</div></div></body></html>