This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
This site is in read only until July 22 as we migrate to a new platform; refer to this community post for more details.
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

AccessToken generation with AuthorizationCode in sync by multiple MPs

Posted on 04-06-2018 10:11 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi Team,

I have a question from customer on OAuth Token API design.

They will use AuthorizationCode grant_type.
So first API call is a request to get AuthorizationCode and it's followed by generating Access Token with using it.

The question is about a generated AuthorizationCode can be used more than one time.

By RFC it's specified as a single use as follows.

10.5.  Authorization Codes

 Authorization codes MUST be short lived and single-use.  If the
   authorization server observes multiple attempts to exchange an
   authorization code for an access token, the authorization server
   SHOULD attempt to revoke all access tokens already granted based on
   the compromised authorization code.
However as they observed, the AuthorizationCode can be used twice and to get distinctive Access Tokens are given and both are valid. So, it's not follow the above RFC spec.

We guess that if there are multiple MPs, it seems that sync between MPs is not in time when the two requests of generating AccessToken comes to different MP simultaneously.

If this is the case, is there any way to prevent this by enforcing API request for generating AuthorizationCode and AccessToken by a single session on the same MP or sync MP before generating AccessToken on the two MPs?

I would appreciate your help on this query.

Regards,
Toshi



1 2 363
Topic Labels
Reply
2 REPLIES 2
Top Solution Authors
View all