
OAuth 2.0 Life cycle of "code" in Authorization code Grant

Authorization code Grant : I know the code is short lived token exchanged for the real long-lived access token. I have gone through the Oauth 2.0 but could not find this information so asking here:

I am using oAuth 2.0 plugin on Kong API gateway. it is keeping the code alive for a particular time and multiple access token can be generated using same code by that time. Is it the expected behaviour?

Thanks for any advice.


  • Authorization Code must be short lived and should be one time use to avoid fake use. So to answer your questions

    What is the life cycle of code?

    Is it for only one-time use?

    How many times can a code be exchanged to get access token?

    What happen to a code after access token is given for that code?

    Best practice, the code can be deleted

    Check out google oauth2.0 documentations for better understanding and see how its used.

    For Kong issue it seems its a bug in kong and they promised to give fix in 0.9 release. Check this discussion.