OAuth 2.0 Life cycle of “code” in Authorization co

2019-07-14 16:44发布

问题:

Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here:

  • What is the life cycle of code?
  • Is it for only one-time use?
  • How many times can a code be exchanged to get access token?
  • What happen to a code after access token is given for that code?

I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple access token can be generated using same code by that time. Is it the expected behaviour?

Thanks for any advice.

回答1:

Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions

What is the life cycle of code?

  • when the user authenticate using authorication_code flow, the once authenticated and granted access for scopes, an short lived (say 1 minute) valid code will be created and sent back to the redirect uri.

Is it for only one-time use?

  • yes it must be one-time use for best security, when access token is requested using authorication_code, then either the request succeeds or failed (due to some validation error or server error), the authorization code must be deleted or marked as used(depending how you wanted to use it)

How many times can a code be exchanged to get access token?

  • One authorization_code can grant only one access token, since the code will be revoked once an access token is issued.

What happen to a code after access token is given for that code?

Best practice, the code can be deleted

Check out google oauth2.0 documentations for better understanding and see how its used.

https://developers.google.com/identity/protocols/OAuth2WebServer

For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release. Check this discussion.



回答2:

code is short-lived one-time access token. once a it is exchanged for a access token, it should get marked as invalid.
for Kong issue its better to ask it here