Describe the bug

If multiple workers/threads are processing the same code at the same time, we can have a race condition where multiple responses contains valid tokens.

The current code validation is calling RequestValidator callbacks in this order:

• validate_code(client_id, code, client, request)
• save_bearer_token(token, request)
• invalidate_authorization_code(client_id, code, request)

As an example, if save_bearer_token is spending 10 seconds, we have a timeframe of 10 seconds where another request can be validated in validate_code, before the first request reach invalidate_authorization_code.

How to reproduce

Add a sleep of X seconds in save_bearer_token, and try to send multiple token requests with the same code. If you can get multiple tokens, then your implementation is affected by this race condition.

Expected behavior

A code is an unique grant and it cannot be used twice. The RequestValidator implementation should be robust to that by design.

Additional context

Note that the race condition can be avoided depending the implementation of the RequestValidator. However, that unnecessary complexity must be avoided.

• Are you using OAuth1, OAuth2 or OIDC?
  OAuth2
• Are you writing client or server side code?
  Server code