Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here:
- What is the life cycle of code?
- Is it for only one-time use?
- How many times can a code be exchanged to get access token?
- What happen to a code after access token is given for that code?
I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple access token can be generated using same code by that time. Is it the expected behaviour?
Thanks for any advice.
Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions
What is the life cycle of code?
Is it for only one-time use?
How many times can a code be exchanged to get access token?
What happen to a code after access token is given for that code?
Best practice, the code can be deleted
Check out google oauth2.0 documentations for better understanding and see how its used.
https://developers.google.com/identity/protocols/OAuth2WebServer
For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release. Check this discussion.
code is short-lived one-time access token. once a it is exchanged for a access token, it should get marked as invalid.
for Kong issue its better to ask it here