Lifetime of authorization codes
As per discussion under https://bitbucket.org/openid/fapi/issues/534/authorization-request-leaks-lead-to-csrf#comment-64002704 - long lived authorization codes can make this attack easier.
The only guidance we’re aware of on authorization code lifetimes is RFC 6749, 4.1.2:
A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
Discussion on today’s call indicated that shorter lifetimes are more usual these days, with lifetimes of one minute being mentioned as in use in various vendor default configurations.
There doesn’t seem to be anything in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics either, so we should raise this with the OAuth WG as well.
Comments (13)
-
reporter -
60 Seconds seems reasonable.
-
This is entirely dependent on whether human interaction is required. I have found that 10 mins is not always possible in passing authorization that requires a human to move anything from one network to another.
-
- changed status to open
It is the lifetime of authz code, so it is after the human interaction is done. 60s should be quite adequate except in the case of, say, on a very freaky connection such as aeroplane Wi-Fi.
-
+1 to 60 seconds. It is in line with the timeout defaults of many HTTP libraries, which are often between 15 and 60 seconds.
-
+ 1 for 60 seconds, it’s also sufficiently short to be palatable short to the banks and something that a test can be written for. And removes ‘optionality’
-
reporter -
assigned issue to
-
assigned issue to
-
reporter -
- changed status to resolved
PR merged
-
My personal experience with my bank is that even three minutes is too short. This happens when the bank suddenly inserts a 2fa in the middle of an authz transactions. I suppose you could tell the bank about the ux problems so that restructure their flows.
-
The Authorization code is usually issued after all forms of authentication and Authorization is performed. This shouldn’t affect the lifetime of the code post issuance.
-
So then when a transaction is flagged (by some random AI) after authz, the auth code is just invalidated? I guess that works.
-
- changed component to FAPI2: Security Profile
- Log in to comment
Raised against security topics draft here: https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50