Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access tokens should be revoked when multiple attempts are made to exchange the same authorization code #1713

Open
ransombriggs opened this issue Jul 10, 2024 · 0 comments
Open

Access tokens should be revoked when multiple attempts are made to exchange the same authorization code #1713

ransombriggs opened this issue Jul 10, 2024 · 0 comments

Comments

@ransombriggs
Copy link
Contributor

Steps to reproduce

I am working through a review with our security team and they requested that I revoke access tokens when there are multiple attempts to exchange the authorization code. This is one of the security recommendations from the rfc and I went to see if there were any hooks available that would allow us to revoke the tokens, but none seem to be available. Specifically I was hoping that I could register a hook at this point so that I can revoke the access tokens. If it would help, I can make a PR for this functionality.

Authorization codes MUST be short lived and single-use. If the
authorization server observes multiple attempts to exchange an
authorization code for an access token, the authorization server
SHOULD attempt to revoke all access tokens already granted based on
the compromised authorization code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ransombriggs