Search code examples
authenticationoauth-2.0spring-security-oauth2rest-securitykong

OAuth 2.0 Life cycle of "code" in Authorization code Grant


Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here:

  • What is the life cycle of code?
  • Is it for only one-time use?
  • How many times can a code be exchanged to get access token?
  • What happen to a code after access token is given for that code?

I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple access token can be generated using same code by that time. Is it the expected behaviour?

Thanks for any advice.


Solution

  • Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions

    What is the life cycle of code?

    • when the user authenticate using authorication_code flow, the once authenticated and granted access for scopes, an short lived (say 1 minute) valid code will be created and sent back to the redirect uri.

    Is it for only one-time use?

    • yes it must be one-time use for best security, when access token is requested using authorication_code, then either the request succeeds or failed (due to some validation error or server error), the authorization code must be deleted or marked as used(depending how you wanted to use it)

    How many times can a code be exchanged to get access token?

    • One authorization_code can grant only one access token, since the code will be revoked once an access token is issued.

    What happen to a code after access token is given for that code?

    Best practice, the code can be deleted

    Check out google oauth2.0 documentations for better understanding and see how its used.

    https://developers.google.com/identity/protocols/OAuth2WebServer

    For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release. Check this discussion.