This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AccessToken generation with AuthorizationCode in sync by multiple MPs

Posted on 04-06-2018 10:11 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Team,

I have a question from customer on OAuth Token API design.

They will use AuthorizationCode grant_type.
So first API call is a request to get AuthorizationCode and it's followed by generating Access Token with using it.

The question is about a generated AuthorizationCode can be used more than one time.

By RFC it's specified as a single use as follows.

10.5.  Authorization Codes

 Authorization codes MUST be short lived and single-use.  If the
   authorization server observes multiple attempts to exchange an
   authorization code for an access token, the authorization server
   SHOULD attempt to revoke all access tokens already granted based on
   the compromised authorization code.
However as they observed, the AuthorizationCode can be used twice and to get distinctive Access Tokens are given and both are valid. So, it's not follow the above RFC spec.

We guess that if there are multiple MPs, it seems that sync between MPs is not in time when the two requests of generating AccessToken comes to different MP simultaneously.

If this is the case, is there any way to prevent this by enforcing API request for generating AuthorizationCode and AccessToken by a single session on the same MP or sync MP before generating AccessToken on the two MPs?

I would appreciate your help on this query.

Regards,
Toshi



1 2 333
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Toshi - that seems like a bug. I suggest that you raise a ticket and attach a working reproduction of that case to the ticket.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Thank you Dino for the response.

I understand that this can be a bug, but in general sync on transactions between MPs looks necessary to be considered for API design even though API request is stateless by design.
Or, is it required by development of API to consider certain time to replicate cache, KVM data among components or datastore nodes as a API design guideline?

0 Likes