Hi Team,
I have a question from customer on OAuth Token API design.
They will use AuthorizationCode grant_type.
So first API call is a request to get AuthorizationCode and it's followed by generating Access Token with using it.
The question is about a generated AuthorizationCode can be used more than one time.
By RFC it's specified as a single use as follows.
10.5. Authorization Codes Authorization codes MUST be short lived and single-use. If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based on the compromised authorization code.However as they observed, the AuthorizationCode can be used twice and to get distinctive Access Tokens are given and both are valid. So, it's not follow the above RFC spec.
Toshi - that seems like a bug. I suggest that you raise a ticket and attach a working reproduction of that case to the ticket.
Thank you Dino for the response.
I understand that this can be a bug, but in general sync on transactions between MPs looks necessary to be considered for API design even though API request is stateless by design.
Or, is it required by development of API to consider certain time to replicate cache, KVM data among components or datastore nodes as a API design guideline?
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |