Do we really need oauth_nonce?

Question

Do we really need oauth_nonce?

That's right, I know how oauth works, but I don't know why we need oauth_nonce .

The spec states that timestamp / nonce must be unique to deal with repeated attacks, but what about if consumer_key is unique enough?

If consumer_key not unique, how to find the appropriate oauth_nonce ?

+7

oauth

user2234995 Apr 15 '14 at 15:49

source share

1 answer

Kapep · Accepted Answer · 2014-04-15T17:14:16+0000

Keys are unique, but do not change often. On the other hand, nonce must be unique for each request.

Consider the following scenario. Prerequisites: An attacker can monitor your message, but does not know secrets. If there is no nonce, it can make a second attack: it can simply duplicate and resubmit any of your previous requests, because it knows that the requests you have already submitted are valid.

Insecurity prevents this, since the server checks all recently used notes ( there is a time limit ) and does not accept even once twice.

Do we really need oauth_nonce?

More articles: