Add clarification if auth_req_id should be treated one time use or not

Comments (5)

1. 

   Petteri Stenius reporter

   • assigned issue to
     
     Bjorn Hjelm

   • 2019-12-10T15:35:43+00:00
2. 

   Brian Campbell

   Although the document doesn’t say it explicitly It has always been my assumption that an auth_req_id would no longer be valid after it’d been successfully exchanged for a response with tokens. Adding some language to that effect is likely warranted. Although I’m not sure how normatively strong it needs to be or should be.

   • 2019-12-11T23:23:27+00:00
3. 

   Joseph Heenan

   I agree with Brian; my presumption has always been that a correctly behaving client would not call the token endpoint once it has successfully obtained tokens.

   The FAPI-CIBA certification tests don’t test how the OP behaves in this case. I’m not sure it’s necessary / easy / helpful to test this case.

   (There’s a small chance that this means a network blip results in a client failing to obtain tokens after a successful authorization if the TCP connection is somehow reset after the server has received the final request but before the client receives the response. I’m not sure that’s a particularly important concern and it similarly exists for exchanging the authorization code for tokens.)

   • 2019-12-12T18:31:48+00:00
4. 

   Brian Campbell

   Pull request #77 adds a sentence clarifying that an auth_req_id value is no longer valid after being successfully exchanged for tokens

   • 2019-12-13T18:32:55+00:00
5. 

   Brian Campbell

   • changed status to resolved

   Merged in i171 (pull request #77) to fix issue #171

   auth_req_id value not valid after successful redemption

   Approved-by: Joseph Heenan jApproved-by: Dave Tonge Approved-by: Bjorn Hjelm

   → <<cset 1fcaac1c9d13>>

   • 2020-01-21T22:36:09+00:00
6. Log in to comment