Lifetime of an Authorization Code / Pre-Authorized Code
Section 6.3 of the OIDC4VCI spec introduces the authorization_pending
error response, which means that the wallet must use polling to see when the issuer is ready to issue the credential. This means that the authorization code is long-lived, which is against the recommendation in RFC 6749 section 10.5. The same goes for the pre-authorized code, but there the problem is even worse because it can be easily leaked since the credential offer typically uses a custom scheme or the user posts the QR code on their social media thinking the transaction is complete when in fact it is not. I think the lifetime of the authorization code and the pre-authorized code should be as short as possible to improve security. Also, this mechanism is sort of a duplicate of the idea of the deferred credential endpoint, which makes the implementation more complex without adding any functionality.
Comments (3)
-
-
- changed status to open
-
- changed status to resolved
Migrated to GitHub
- Log in to comment
The fact that to use
authorization_pending
the auth code or pre-auth code must be valid for longer than absolutely necessary is really bad, especially in the pre-auth code case. It would be much better to issue an access token immediately and then defer issuance using the deferred credential endpoint.