Hi all
I couldn't find any text in the current BCP document about the lifetime of
authorization codes, do people think that this may be worth mentioning?
The only guidance I could find on authorization code lifetimes is RFC 6749,
4.1.2:
"A maximum authorization code lifetime of 10 minutes is R
Re-use of Authorization Codes is a strict violation of the spec as
described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
I generally agree that a shorter lifetime is fine in most cases, but the
lifetime of the authorization code is not what provides security, the
single-use requ
