Authorisation flow: Authorisation code destruction
lloydmeta opened this issue · comments
Hi,
Firstly, great work on this lib; really helps a lot to have something like this to guide us in implementing a Scala Oauth2 provider :)
Cutting to the chase, it looks like this lib handles the generation of an AccessToken when provided an Authorisation Code. However, it doesn't seem to provide a way to ensure that once an AccessToken has been generated, the Authorisation code used gets destroyed, in order to ensure the following clause in section 4.1.2 of the RFC:
The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.
I think one way is to add a deleteAuthCode
method to AuthorizationHandler
, and have AuthorizationCode extends GrantHandler
call that upon successful completion of issueAccessToken
Any thoughts?
I think one way is to add a deleteAuthCode method to AuthorizationHandler, and have AuthorizationCode extends GrantHandler call that upon successful completion of issueAccessToken
We should implement this with your idea.
Could you send the PR to us?
Definitely. Will send a PR :)
On Fri, May 15, 2015 at 8:09 PM, Tsuyoshi Yoshizawa <
notifications@github.com> wrote:
I think one way is to add a deleteAuthCode method to AuthorizationHandler,
and have AuthorizationCode extends GrantHandler call that upon successful
completion of issueAccessTokenWe should implement this with your idea.
Could you send the PR to us?—
Reply to this email directly or view it on GitHub
#65 (comment)
.
Thanks for your PR 👍