-
assigned issue to
Add clarification if auth_req_id should be treated one time use or not
When there is a successful token response to a token request using ciba grant type, does the auth_req_id value expire immediately (one time use) or is the client allowed to use the same auth_req_id value again until it expires because of timeout?
Comments (5)
-
reporter -
Although the document doesn’t say it explicitly It has always been my assumption that an auth_req_id would no longer be valid after it’d been successfully exchanged for a response with tokens. Adding some language to that effect is likely warranted. Although I’m not sure how normatively strong it needs to be or should be.
-
I agree with Brian; my presumption has always been that a correctly behaving client would not call the token endpoint once it has successfully obtained tokens.
The FAPI-CIBA certification tests don’t test how the OP behaves in this case. I’m not sure it’s necessary / easy / helpful to test this case.
(There’s a small chance that this means a network blip results in a client failing to obtain tokens after a successful authorization if the TCP connection is somehow reset after the server has received the final request but before the client receives the response. I’m not sure that’s a particularly important concern and it similarly exists for exchanging the authorization code for tokens.)
-
Pull request
#77adds a sentence clarifying that an auth_req_id value is no longer valid after being successfully exchanged for tokens -
- changed status to resolved
Merged in i171 (pull request
#77) to fix issue#171auth_req_id value not valid after successful redemption
Approved-by: Joseph Heenan jApproved-by: Dave Tonge Approved-by: Bjorn Hjelm
→ <<cset 1fcaac1c9d13>>
- Log in to comment