<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Thanks Justin. </div> <br> <div id="bloop_sign_1455130665933166080" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">-- <br>Misagh</div></div> <div class="airmail_ext_on" style="color:black"><br>From: <span style="color:black">Justin Richer</span> <a href="mailto:jricher@mit.edu"><jricher@mit.edu></a><br>Reply: <span style="color:black">Justin Richer</span> <a href="mailto:jricher@mit.edu"><jricher@mit.edu></a><br>Date: <span style="color:black">February 10, 2016 at 5:58:36 PM</span><br>To: <span style="color:black">Misagh Moayyed</span> <a href="mailto:mmoayyed@unicon.net"><mmoayyed@unicon.net></a><br>CC: <span style="color:black">mitreid-connect@mit.edu</span> <a href="mailto:mitreid-connect@mit.edu"><mitreid-connect@mit.edu></a><br>Subject: <span style="color:black"> Re: [mitreid-connect] Second use of AuthorizationCode should revoke previous access token issued? <br></span></div><br> <blockquote type="cite" class="clean_bq"><span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div></div><div>
<title></title>
This is already reported in the following issue:
<div class=""><br class=""></div>
<div class=""><a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986</a></div>
<div class=""><br class=""></div>
<div class="">The short version of it is that we’d have to keep
around references to old authorization codes in order to do this,
which would require data model changes, so that’s not going to
happen in 1.2. Furthermore, it’s a SHOULD in the specification so
you can pass the conformance tests without that functionality in
place, as we have done. The conformance test will generate a
warning but not a failure.</div>
<div class=""><br class=""></div>
<div class=""> — Justin</div>
<div class=""><br class=""></div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Feb 10, 2016, at 8:48 AM, Misagh Moayyed
<<a href="mailto:mmoayyed@unicon.net" class="">mmoayyed@unicon.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div id="bloop_customfont" style="font-family: Helvetica, Arial; font-size: 13px; margin: 0px;" class="">
<div id="bloop_customfont" style="margin: 0px;" class="">It appears
that if an authorization code is used once to generate an access
token, the code is then consumed and removed from the database and
then the token is generated. If a subsequent request attempts to
use the code again, an error is correctly returned back explaining
that that the code cannot be found. So far, so good. </div>
<div id="bloop_customfont" style="margin: 0px;" class=""><br class=""></div>
<div id="bloop_customfont" style="margin: 0px;" class="">The issue
and my question is: should the previously issued access token also
be invalidated/expired/removed when the same code is exercised
again? Presently, the access token remains valid and can be used by
the userinfo endpoint. </div>
<div id="bloop_customfont" style="margin: 0px;" class=""><br class=""></div>
<div id="bloop_customfont" style="margin: 0px;" class="">I am
asking this, since the openid conformance tests have a test where
they require an error to be returned from the userinfo endpoint in
cases where the code is submitted twice. (The expectation there is
that access tokens issued via that code should also become
invalid) </div>
</div>
<div class="bloop_container">
<div class="bloop_frame"></div>
</div>
<br class="">
<div id="bloop_sign_1455111921922362112" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px" class="">
-- <br class="">
Misagh</div>
</div>
</div>
_______________________________________________<br class="">
mitreid-connect mailing list<br class="">
<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">
http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div>
</blockquote>
</div>
<br class=""></div>
</div></div></span></blockquote></body></html>