I'm currently assessing the security of an application using Oauth2 authentication. During the Oauth dance, when authenticating with user John Doe in browser A, one of the requests is: GET https://siteImAssessing.cxx/?code=LongOAUTH2AuthorizationCode
What I've noticed is that I can copy and paste that request in a different browser (browser B) and I become John Doe in that browser as well without the need to enter John Doe's credentials. (I receive fresh JWT tokens in browser B as well)
Would this be considered normal Oauth2 behavior?
Thank you,
No, you should not be able to be John Doe in both browsers. The authorization code can only be used once (see https://www.rfc-editor.org/rfc/rfc6749#page-27). The code should be invalidated after it is used to get a token.
If you can copy the request and successfully execute it from another browser (session), it means the authorization server is not invalidating the code after it was used. You may want to file a bug with the vendor of the authorization server.