Hi all I couldn't find any text in the current BCP document about the lifetime of authorization codes, do people think that this may be worth mentioning?
The only guidance I could find on authorization code lifetimes is RFC 6749, 4.1.2: "A maximum authorization code lifetime of 10 minutes is RECOMMENDED.” Feedback from some vendors (on the FAPI WG) seemed to be that they default to shorter lifetimes these days. Shorter lifetimes seem like they can prevent various attacks, particularly if the AS isn't enforcing single-use of authorization code. (I raised this at https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50 <https://github.com/oauthstuff/draft-ietf-oauth-security-topics/issues/50> too, but forgot to email this list at the time) Thanks Joseph
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
