2016-05-31 22:00:59 +00:00
2017-04-03 06:15:12 +00:00
=== Compromised Authorization Code
2016-05-31 22:00:59 +00:00
2017-08-28 12:50:14 +00:00
For the <<_oidc-auth-flows, OIDC Auth Code Flow>>, it would be very hard for an attacker to compromise {project_name} authorization codes.
{project_name} generates a cryptographically strong random value for its authorization codes so it would be very hard to guess an access token.
2017-04-03 06:15:12 +00:00
An authorization code can only be used once to obtain an access token.
2017-08-28 12:50:14 +00:00
In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.
2016-05-31 22:00:59 +00:00
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.
2019-07-03 00:39:14 +00:00
You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how.
