Skip to content

Add invalid_tx_code error code to pre-authz code flow #686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
awoie wants to merge 8 commits into
base: main
Choose a base branch
from
+28 −3
Open

Add invalid_tx_code error code to pre-authz code flow #686

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b89c5c1
fix: add invalid_tx_code and security considerations on tx code guessing
awoie Jan 15, 2026
40d6ce7
fix: add doc history
awoie Jan 15, 2026
6e8ec2e
fix: removed 1.0 changes
awoie Jan 15, 2026
7cec13d
fix: removed doc history for 1.0
awoie Jan 15, 2026
e9cab1f
fix: fixed doc history
awoie Jan 15, 2026
08a348e
fix: fixed change log
awoie Jan 15, 2026
00c225e
fix: updated doc history 1.0
awoie Jan 15, 2026
8e1b82f
fix: add security consideration to errata
awoie Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion 1.0/openid-4-verifiable-credential-issuance-1_0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1503,6 +1503,17 @@ An attacker might leverage the Credential issuance process and the End-User's tr

In order to cope with that issue, the Wallet is RECOMMENDED to interact with trusted Credential Issuers only. In that case, the Wallet would not process a Credential Offer with an untrusted issuer URL. The Wallet MAY also show the End-User the endpoint of the Credential Issuer it will be sending the Transaction Code to and ask the End-User for confirmation.

### Transaction Code Guessing

When the Pre-Authorized Code Flow is used together with a Transaction Code (`tx_code`), the Transaction Code is typically short, low-entropy, and intended for one-time use. As a result, it may be susceptible to online guessing or brute-force attacks if an attacker can repeatedly submit Token Requests using the same Pre-Authorized Code.

To mitigate this risk, the Authorization Server SHOULD limit the number of failed Transaction Code verification attempts associated with a Pre-Authorized Code or issuance transaction. Once a configurable maximum number of failed attempts is exceeded, the Authorization Server SHOULD invalidate the Pre-Authorized Code and reject further Token Requests for that transaction.

Transaction Codes SHOULD be short-lived and SHOULD be treated as single-use. Upon successful verification, a Transaction Code SHOULD NOT be accepted again.

When a valid Pre-Authorized Code is presented with an incorrect Transaction Code, the Authorization Server SHOULD return an error indicating that the provided Transaction Code is invalid.
If the Pre-Authorized Code has expired, has been invalidated (including due to too many failed attempts), or is otherwise no longer valid, the Authorization Server SHOULD return the `invalid_grant` error.

## Credential Lifecycle Management

The Credential Issuer is supposed to be responsible for the lifecycle of its Credentials. This means the Credential Issuer will invalidate Credentials when it deems appropriate, e.g., if it detects fraudulent behavior.
Expand Down Expand Up @@ -3026,7 +3037,7 @@ The technology described in this specification was made available from contribut

-19

* TBD
* Add security consideration on transaction code guessing

-final

Expand Down
18 changes: 16 additions & 2 deletions 1.1/openid-4-verifiable-credential-issuance-1_1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1162,13 +1162,16 @@ The following additional clarifications are provided for some of the error codes

`invalid_grant`:

- The Authorization Server expects a Transaction Code in the Pre-Authorized Code Flow but the Client provides the wrong Transaction Code.
- The End-User provides the wrong Pre-Authorized Code or the Pre-Authorized Code has expired.
- The End-User provides the wrong Pre-Authorized Code or the Pre-Authorized Code has expired or is no longer valid.

`invalid_client`:

- The Client tried to send a Token Request with a Pre-Authorized Code without a Client ID but the Authorization Server does not support anonymous access.

`invalid_tx_code`:
Copy link
Copy Markdown
Contributor

@paulbastian paulbastian Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe it makes sense to differentiate error codes, where the AS allows for a retry of sending Token Request with a new Transaction Code or whether this terminates the issuance session. Is the intention to allows retry for invalid_tx_code?


- The Authorization Server expects a Transaction Code in the Pre-Authorized Code Flow but the Client provides the wrong Transaction Code.

Below is a non-normative example of a Token Error Response:

```
Expand Down Expand Up @@ -1908,6 +1911,16 @@ An attacker might leverage the Credential issuance process and the End-User's tr

In order to cope with that issue, the Wallet is RECOMMENDED to interact with trusted Credential Issuers only. In that case, the Wallet would not process a Credential Offer with an untrusted issuer URL. The Wallet MAY also show the End-User the endpoint of the Credential Issuer it will be sending the Transaction Code to and ask the End-User for confirmation.

### Transaction Code Guessing

When the Pre-Authorized Code Flow is used together with a Transaction Code (`tx_code`), the Transaction Code is typically short, low-entropy, and intended for one-time use. As a result, it may be susceptible to online guessing or brute-force attacks if an attacker can repeatedly submit Token Requests using the same Pre-Authorized Code.

To mitigate this risk, the Authorization Server SHOULD limit the number of failed Transaction Code verification attempts associated with a Pre-Authorized Code or issuance transaction. Once a configurable maximum number of failed attempts is exceeded, the Authorization Server SHOULD invalidate the Pre-Authorized Code and reject further Token Requests for that transaction.

Transaction Codes SHOULD be short-lived and SHOULD be treated as single-use. Upon successful verification, a Transaction Code SHOULD NOT be accepted again.

When a valid Pre-Authorized Code is presented with an incorrect Transaction Code, the Authorization Server SHOULD return the `invalid_tx_code` error. If the Pre-Authorized Code has expired, has been invalidated (including due to too many failed attempts), or is otherwise no longer valid, the Authorization Server SHOULD return the `invalid_grant` error.

## Credential Lifecycle Management

The Credential Issuer is supposed to be responsible for the lifecycle of its Credentials. This means the Credential Issuer will invalidate Credentials when it deems appropriate, e.g., if it detects fraudulent behavior.
Expand Down Expand Up @@ -3461,3 +3474,4 @@ The technology described in this specification was made available from contribut
* Add back Interactive Authorization Endpoint text that was removed from the 1.0 draft
* add require_interactive_authorization_request to AS metadata
* add interactive_authorization_endpoint to AS metadata section
* add invalid_tx_code to Pre-Authz Code Flow