Menu
Right, I know how oauth works, but I don't know why we need oauth_nonce.
The specification says timestamp / nonce has to be unique to solve replay attacks, but what about if consumer_key is unique enough?
If consumer_key is not unique, how does it find corresponding oauth_nonce?
836
oauth_signature. The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method.
The purpose of a nonce is to make each request unique so that an attacker can't replay a request in a different context. It doesn't matter if the attacker gets the nonce: in fact the point is that because the data includes a nonce, it won't be useful to the attacker.
Nonce. This is a random, unique string value to associate a user-session with an ID Token and to mitigate replay attacks.
Keys are unique but don't change often. A nonce on the other hand needs to be unique per request.
Consider the following scenario. Prerequisites are: An attacker can spy on your communication but does not know any secrets. If there is no nonce, he can do a replay attack: He can simply duplicate and resend any of your previous requests, because he knows the requests you already send are valid.
A nonce prevents this, as the server checks all recently used nonces (there is a time limit) and does not accept any nonce twice.
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
