I think so. In WRAP the verification code was RECOMMENDED one time use. On 2010-05-30, at 9:38 AM, Andrew Arnott wrote:
> I was reviewing 3.6.2. Client Requests Access Token and it occurred to me > that there's no requirement in the spec (that I can find) that a given > callback URI and verification code can only be exchanged for access and > refresh tokens at most once. Should the verification code include an encoded > nonce from the auth server so that it is only usable once? > > I seem to recall one of the social engineering attacks in OAuth 1.0 was > mitigated by ensuring that the user authorization could only be redeemed for > an access token once. > > Thanks. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
