[mitreid-connect] Second use of AuthorizationCode should revoke previous access token issued?
Justin Richer
jricher at mit.edu
Wed Feb 10 11:58:26 EST 2016
This is already reported in the following issue:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986 <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986>
The short version of it is that we’d have to keep around references to old authorization codes in order to do this, which would require data model changes, so that’s not going to happen in 1.2. Furthermore, it’s a SHOULD in the specification so you can pass the conformance tests without that functionality in place, as we have done. The conformance test will generate a warning but not a failure.
— Justin
> On Feb 10, 2016, at 8:48 AM, Misagh Moayyed <mmoayyed at unicon.net> wrote:
>
> It appears that if an authorization code is used once to generate an access token, the code is then consumed and removed from the database and then the token is generated. If a subsequent request attempts to use the code again, an error is correctly returned back explaining that that the code cannot be found. So far, so good.
>
> The issue and my question is: should the previously issued access token also be invalidated/expired/removed when the same code is exercised again? Presently, the access token remains valid and can be used by the userinfo endpoint.
>
> I am asking this, since the openid conformance tests have a test where they require an error to be returned from the userinfo endpoint in cases where the code is submitted twice. (The expectation there is that access tokens issued via that code should also become invalid)
>
> --
> Misagh
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160210/f25e7d11/attachment.html
More information about the mitreid-connect
mailing list