Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lifetime of authorization codes #50

Open
jogu opened this issue Aug 24, 2022 · 3 comments
Open

Lifetime of authorization codes #50

jogu opened this issue Aug 24, 2022 · 3 comments
Labels
BCP V2

Comments

@jogu
Copy link

jogu commented Aug 24, 2022

I couldn't find any text in the current document about the lifetime of authorization codes, but this may be worth mentioning?

The only guidance we’re aware of on authorization code lifetimes is RFC 6749, 4.1.2:

A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

Feedback from vendors (on the FAPI WG) seemed to be that they default to shorter lifetimes.

Shorter lifetimes seem like they can prevent various attacks, particularly if the AS isn't enforcing single-use of authorization code.
@jogu
Copy link
Author

jogu commented Sep 21, 2022

Also raised on mailing list here: https://mailarchive.ietf.org/arch/msg/oauth/L7GX7kwlrKauoOyRqtnYrwC0LuY/

@danielfett
Copy link
Collaborator

Since I don't think that there is a general recommendation we could provide and there was no resonance on the mailing list, I'll postpone this topic for a potential second version of the security BCP.

@tlodderstedt
Copy link
Contributor

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BCP V2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielfett @jogu @tlodderstedt