We have an OIDC callback that receives the code via a query param. We then call the Auth0 oauth/token API to exchange the code for tokens.
I can see that the code appears to be a single-use code. The second call to the token endpoint with the same code gives an error.
But if I don’t use the code at all, how long will it be valid for before it times out and can no longer be used for exchange?
Thanks
Hi @djones,
Welcome to the Auth0 Community Forum!
I can’t find a specific time, but according to the spec:
The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED.
Hope this helps,
Dan
Thanks Dan, that was very helpful.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.