Menu
I don't see it mentioned anywhere in the 2.0 spec, is nonce not used by OAuth 2 and if not, now does it prevent replay attacks?
The 1.0 spec states:
3.3. Nonce and Timestamp
The timestamp value MUST be a positive integer. Unless otherwise specified by the server's documentation, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
To avoid the need to retain an infinite number of nonce values for future checks, servers MAY choose to restrict the time period after which a request with an old timestamp is rejected. Note that this restriction implies a level of synchronization between the client's and server's clocks. Servers applying such a restriction MAY provide a way for the client to sync with the server's clock; alternatively, both systems could synchronize with a trusted time service. Details of clock synchronization strategies are beyond the scope of this specification.
277
Nonce. This is a random, unique string value to associate a user-session with an ID Token and to mitigate replay attacks.
OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data. OAuth 2.0 uses Access Tokens.
nonce. String. The nonce matches the parameter included in the original /authorize request to the IDP. If it does not match, your application should reject the token.
This is captured in a separate spec. See OAuth 2.0 Threat Model and Security Considerations for details/answers :)
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
