Re: [OAUTH-WG] Question related to authorization code in OAuth 2.0
John Bradley <ve7jtb@ve7jtb.com> Sun, 02 September 2012 01:21 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFE5C11E8187 for <oauth@ietfa.amsl.com>; Sat, 1 Sep 2012 18:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.492
X-Spam-Level:
X-Spam-Status: No, score=-3.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GfJVbwAri+hv for <oauth@ietfa.amsl.com>; Sat, 1 Sep 2012 18:21:34 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id C6B2611E80AE for <OAuth@ietf.org>; Sat, 1 Sep 2012 18:21:33 -0700 (PDT)
Received: by qcac10 with SMTP id c10so3276896qca.31 for <OAuth@ietf.org>; Sat, 01 Sep 2012 18:21:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=y+27QZn+c+0EF32LQbo+Jyv9BGjCNhrYjQVVBEjIuww=; b=GLZ6Ftrmhzl4vzDeauyn0uDOju8kBK3QWNauFXTNgPMQxyZ8GojXw6ajJzTZ8gAztN eDCKSwp8HI/feBr79aQtGH1G9g8mYUEN8te9/MbqY8/8yDKM60RSSInrhddQc7UElU1N NnZXOCT/+vc6ziOy/HqoFrN+4+GXV/gosZ6NUGlpoK/nzRj2aoWoOYEBRPdz6VCpptTE pbxGesQ5mWVp842xQZMrH7UTW1TXPJKngI/QgLAnQN6SdEPFEQgUPJmYPd2ogIc9Pp18 3Qd/uQ1UKXJQ2NjDZumaAnaTQgWHLKjgPAt1UWjKs8g59muqrFgpixKvmV3iJWa7sWUq jddw==
Received: by 10.224.200.130 with SMTP id ew2mr27370769qab.92.1346548893147; Sat, 01 Sep 2012 18:21:33 -0700 (PDT)
Received: from [192.168.1.211] (190-20-18-54.baf.movistar.cl. [190.20.18.54]) by mx.google.com with ESMTPS id et6sm10016954qab.8.2012.09.01.18.21.21 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 01 Sep 2012 18:21:31 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_09C72FAF-EADD-475C-8C16-856C1A1599DE"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAD_036mbk9TfySTqrstwMaaOHu_3T2C0KFpPyEi3drW4avr=tg@mail.gmail.com>
Date: Sat, 01 Sep 2012 21:20:59 -0400
Message-Id: <C78979D5-30D6-4DB4-864E-18547CBB3E8D@ve7jtb.com>
References: <CAD_036mbk9TfySTqrstwMaaOHu_3T2C0KFpPyEi3drW4avr=tg@mail.gmail.com>
To: Bilal Ashraf <bilal.ashraf@gmail.com>
X-Mailer: Apple Mail (2.1486)
X-Gm-Message-State: ALoCoQnrjdoYwt6WFgZuv+/7dNAyUWfTLXjkUuEWJ9/wPc9hU2AwLF4Ju+zhsCOgKCVXy524XEU4
Cc: OAuth@ietf.org
Subject: Re: [OAUTH-WG] Question related to authorization code in OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Sep 2012 01:21:35 -0000
The code is tied to the client, and is single use. In principal over time a server may generate the same code more than once, The code is the only way a Authorization server has to differentiate between instances of clients. If you were to have two instances of a client with the same code value at the same time that is likely to go very wrong. So their must never be two code issued within the same validity window. (That is why they are single use with a short lifetime like 5 min) You will say what if they are issued to two different client ID, Assuming they are confidential clients that might be possible but is still a horrible idea don't do it! John B. On 2012-09-01, at 5:39 PM, Bilal Ashraf <bilal.ashraf@gmail.com> wrote: > Hi, > > In Authorization code flow, after resource owner authentication and approval, the application is provided with an authorization code in response by authorization server. The authorization code is basically the resource owner authorization to the application for resource owner data access. That means authorization code is bound to the application. > > Is it possible that for two resource owner authentication, same authorization code is returned in response? e.g. > > Resource owner 1 : Authenticate successfully -> Approval -> authorization code = 123 issued > Resource owner 2 : Authenticate successfully -> Approval -> authorization code = 123 issued > > Regards, > Bilal Ashraf > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Question related to authorization code… Bilal Ashraf
- Re: [OAUTH-WG] Question related to authorization … John Bradley