[mitreid-connect] Second use of AuthorizationCode should revoke previous access token issued?

Misagh Moayyed mmoayyed at unicon.net
Wed Feb 10 13:58:06 EST 2016


Thanks Justin. 

-- 
Misagh

From: Justin Richer <jricher at mit.edu>
Reply: Justin Richer <jricher at mit.edu>
Date: February 10, 2016 at 5:58:36 PM
To: Misagh Moayyed <mmoayyed at unicon.net>
CC: mitreid-connect at mit.edu <mitreid-connect at mit.edu>
Subject:  Re: [mitreid-connect] Second use of AuthorizationCode should revoke previous access token issued?  

This is already reported in the following issue:

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/986

The short version of it is that we’d have to keep around references to old authorization codes in order to do this, which would require data model changes, so that’s not going to happen in 1.2. Furthermore, it’s a SHOULD in the specification so you can pass the conformance tests without that functionality in place, as we have done. The conformance test will generate a warning but not a failure.

 — Justin


On Feb 10, 2016, at 8:48 AM, Misagh Moayyed <mmoayyed at unicon.net> wrote:

It appears that if an authorization code is used once to generate an access token, the code is then consumed and removed from the database and then the token is generated. If a subsequent request attempts to use the code again, an error is correctly returned back explaining that that the code cannot be found. So far, so good. 

The issue and my question is: should the previously issued access token also be invalidated/expired/removed when the same code is exercised again? Presently, the access token remains valid and can be used by the userinfo endpoint.  

I am asking this, since the openid conformance tests have a test where they require an error to be returned from the userinfo endpoint in cases where the code is submitted twice. (The expectation there is that access tokens issued via that code should also become invalid) 

-- 
Misagh
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu
http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160210/c1992d65/attachment.html


More information about the mitreid-connect mailing list