FAPI-R: Clarify authorization code reuse requirements

Branch: josephheenan/fapi:part1-auth-code-reuse

Branch: openid/fapi:master

Merged

#113 · Created 2019-06-19 · Last updated 2019-08-21

Merged pull request

Merged in josephheenan/fapi/part1-auth-code-reuse (pull request #113)

c3d5034·Author: Joseph Heenan·Closed by: Nat Sakimura·2019-08-21

Description

The OpenID Connect and OAuth2 specifications in places use unclear language when
talking about reuse of authorization codes.

This text attempts to state a clear position. The position chosen is
that already documented in one section of RFC6749 4.1.2:

If an authorization code is used more than
once, the authorization server MUST deny the request

In some ways it is not necessary to repeat this as it is already
in RFC6749, however the clause is often missed and OIDCC adds
confusion by adding 'if possible'.

closes #86

FAPI-R: Clarify authorization code reuse requirements

Merged pull request

Description

0 attachments

0 comments

Loading commits...