On 22/05/17 15:16, Bill Burke wrote:
>> 4) Is it ok to have option to relax on code one-time use?
Otherwise in
>> cross-DC and without sticky session, the every code exchange may require
>> SYNC request to another DCs to doublecheck code was not used already.
>> Not good for performance..
>>
> Maybe this is OK. Confidential apps needs credentials and then
> there's Proof Key for Code Exchange for public clients. Although the latter
> may be another issue in cross-DC?
>
>
>> For now, I can see some combination of 1,3,4 as a way to go. WDYT?
>> Marek
I think 1 and 4 will hobble us for future things we want to do.
Ok, I understand 1 may be problematic for some scenarios and won't do
it. But what exactly is a blocker for relax on code one-time use?
I am thinking that code will be still single-use by default as it's
required per OAuth2/OIDC specs. However admins, who prefer performance
over security, may choose to relax strict code one-time use. This may be
new option - not sure whether configurable per realm or per client. I
can see it's likely ok in some environments (private corporate networks
etc) ?
Marek