1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Lifetime of authorization codes

Issue #538 resolved
Joseph Heenan created an issue

As per discussion under https://bitbucket.org/openid/fapi/issues/534/authorization-request-leaks-lead-to-csrf#comment-64002704 - long lived authorization codes can make this attack easier.

The only guidance we’re aware of on authorization code lifetimes is RFC 6749, 4.1.2:

A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

Discussion on today’s call indicated that shorter lifetimes are more usual these days, with lifetimes of one minute being mentioned as in use in various vendor default configurations.

There doesn’t seem to be anything in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics either, so we should raise this with the OAuth WG as well.

Comments (13)

  3. Tom Jones

    This is entirely dependent on whether human interaction is required. I have found that 10 mins is not always possible in passing authorization that requires a human to move anything from one network to another.

  4. Nat Sakimura
    • changed status to open

    It is the lifetime of authz code, so it is after the human interaction is done. 60s should be quite adequate except in the case of, say, on a very freaky connection such as aeroplane Wi-Fi.

  5. Daniel Fett

    +1 to 60 seconds. It is in line with the timeout defaults of many HTTP libraries, which are often between 15 and 60 seconds.

  6. Ralph Bragg

    + 1 for 60 seconds, it’s also sufficiently short to be palatable short to the banks and something that a test can be written for. And removes ‘optionality’

  10. Tom Jones

    My personal experience with my bank is that even three minutes is too short. This happens when the bank suddenly inserts a 2fa in the middle of an authz transactions. I suppose you could tell the bank about the ux problems so that restructure their flows.

  11. Ralph Bragg

    The Authorization code is usually issued after all forms of authentication and Authorization is performed. This shouldn’t affect the lifetime of the code post issuance.

  12. Tom Jones

    So then when a transaction is flagged (by some random AI) after authz, the auth code is just invalidated? I guess that works.

  14. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
FAPI2: Security Profile
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!