How to prevent reuse of Oauth Authorization Code?

Rob 26 Reputation points
2023-02-09T02:59:37.2966667+00:00

I'm using the OAuth 2.0 authorization code flow, but I noticed that I'm able to reuse the same authorization code and the server responds with a new id token.

And as per OAuth 2.0 specifications, The client MUST NOT reuse the same authorization code (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2)

Am I missing any settings in my policy? The only documentation that I found about code authorization code flow in AzureB2C is the following: https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#authorization-code-lifetime

oauthcode

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
3,013 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,141 Reputation points Microsoft Employee
    2023-02-10T01:35:03.6733333+00:00

    Hi Rob,

    I did some research on this topic and found that the behavior you are describing is due to a known limitation with B2C.

    According to the RFC:

    RFC 6749 - The OAuth 2.0 Authorization Framework (ietf.org)

    Authentication code should be used one time.

    With standard Azure AD, a fix was released in 2018:

    Azure Active Directory breaking changes reference | Microsoft Docs

    This is because B2C is completely stateless and does not follow the (OTP RFC) standard here. Standard Azure AD made engineering provisions to track and invalidate AuthZ codes back in 2018, but Azure AD B2C has not completed this work yet. B2C would have to become a stateful service and this is a large investment. So while this is a known issue, this work is not completed at this time. I have shared feedback with the product team about this but you are also welcome to do so in https://feedback.azure.com/

    A workaround is to use the nonce claim.

    See also: B2C nonce

    Let me know if this helps. I've also bubbled this concern with the product team and will update this thread if they get back with additional information.

    -

    If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar issues.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.