extend AUTHORIZATION_CODE_EXPIRE_SECONDS

[matiseni51]

Hi!

Is your feature request related to a problem? Please describe.

For the grant_type=authorization_code:
It was kind of annoying that you have just a few seconds to make the call to authorize the App and get the code, I always had to extend the expire time.

Describe the solution you'd like

I suggest change the default time (https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/settings.py#L52)
from
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 60
to
"AUTHORIZATION_CODE_EXPIRE_SECONDS": 600

(I think it's just there)

Describe alternatives you've considered

The alternative i'm currently using is just adding this key to my settings

OAUTH2_PROVIDER = {
   ...,
    'AUTHORIZATION_CODE_EXPIRE_SECONDS': 600,
   ...,
}

Additional context

I'm only suggestting this change because i spent quite some time looking how to modify this and, i found out that there's a recommendation already in the docs.

https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2

A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

Of course, probably i might being missing something and in that case just discard this issue.
btw thanks for the library!

[n2ygk]

Seems like this makes sense to match the RFC recommendation. Perhaps check if updates to 6749 have changed the recommendation (look for OAuth 2 BCPs, Oauth2.1, etc.) and then submit a PR

[matiseni51]

@n2ygk I found a couple of BCPs that update this RFC, non of them refer to this AUTHORIZATION_CODE expire time.
Apart from that i only saw a brief description in the OAuth web:

Generating the Authorization Code

The authorization code must expire shortly after it is issued. The OAuth 2.0 spec recommends a maximum lifetime of 10 minutes, but in practice, most services set the expiration much shorter, around 30-60 seconds. The authorization code itself can be of any length, but the length of the codes should be documented.

So, it's your call really, just lmk if you want that i submit the PR changing the time.
Other option might be add a line in the docs describing the current situation.
If not, just close the issue.

[n2ygk]

@matiseni51 thanks for researching this. If seems like we should keep the current value then as we should always trend toward more secure and changing this default would weaken security for current users of the default. Those who need to extended it can always do so via the settings.

Unfortunately the current documentation doesn't match the code and is misleading. Perhaps a PR to clarify the documentation is in order as the RFC says:

The authorization code MUST expiremshortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED.

While the documentation incorrectly states:

The number of seconds an authorization code remains valid. Requesting an access token after this duration will fail. RFC6749 Section 4.1.2 recommends a 10 minutes (600 seconds) duration.