<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">This is already reported in the following issue:<div class=""><br class=""></div><div class=""><a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986" class="">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986</a></div><div class=""><br class=""></div><div class="">The short version of it is that we’d have to keep around references to old authorization codes in order to do this, which would require data model changes, so that’s not going to happen in 1.2. Furthermore, it’s a SHOULD in the specification so you can pass the conformance tests without that functionality in place, as we have done. The conformance test will generate a warning but not a failure.</div><div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 10, 2016, at 8:48 AM, Misagh Moayyed <<a href="mailto:mmoayyed@unicon.net" class="">mmoayyed@unicon.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><style class="">body{font-family:Helvetica,Arial;font-size:13px}</style><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div id="bloop_customfont" style="font-family: Helvetica, Arial; font-size: 13px; margin: 0px;" class=""><div id="bloop_customfont" style="margin: 0px;" class="">It appears that if an authorization code is used once to generate an access token, the code is then consumed and removed from the database and then the token is generated. If a subsequent request attempts to use the code again, an error is correctly returned back explaining that that the code cannot be found. So far, so good. </div><div id="bloop_customfont" style="margin: 0px;" class=""><br class=""></div><div id="bloop_customfont" style="margin: 0px;" class="">The issue and my question is: should the previously issued access token also be invalidated/expired/removed when the same code is exercised again? Presently, the access token remains valid and can be used by the userinfo endpoint. </div><div id="bloop_customfont" style="margin: 0px;" class=""><br class=""></div><div id="bloop_customfont" style="margin: 0px;" class="">I am asking this, since the openid conformance tests have a test where they require an error to be returned from the userinfo endpoint in cases where the code is submitted twice. (The expectation there is that access tokens issued via that code should also become invalid) </div></div><div class="bloop_container"><div class="bloop_frame"> </div></div><br class=""><div id="bloop_sign_1455111921922362112" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px" class="">-- <br class="">Misagh</div></div></div>_______________________________________________<br class="">mitreid-connect mailing list<br class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div></blockquote></div><br class=""></div></body></html>