authorization code replay

Issue #349 resolved
Dave Tonge created an issue

FAPI 2.0 has this: “shall verify, if possible, that the authorization code (section 1.3.1 of [@!RFC6749]) has not been previously used”

FAPI 1.0 has this: “shall reject an authorization code (section 1.3.1 of RFC6749) if it has been previously used;”

Why can’t we keep it the same?

Comments (3)

  1. Log in to comment