我起初误解了 OAuth 的时间戳实现,认为这意味着不在当前时间过去 30 秒内的时间戳将被拒绝,结果证明这是错误的,原因有几个,包括我们无法保证无论时区如何,每个系统时钟都足够同步到分钟和秒。然后我又读了一遍以更清楚:
"Unless otherwise specified by the Service Provider, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests."
来源:http://oauth.net/core/1.0/#nonce
这意味着时间戳仅与来自同一来源的先前请求进行比较,而不与我的服务器系统时钟进行比较。
然后我在这里阅读了更详细的描述:http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security-architecture/
( TL;DR? - 跳到下面的粗体部分)
To prevent compromised requests from being used again (replayed), OAuth uses a nonce and timestamp. The term nonce means ‘number used once’ and is a unique and usually random string that is meant to uniquely identify each signed request. By having a unique identifier for each request, the Service Provider is able to prevent requests from being used more than once. This means the Consumer generates a unique string for each request sent to the Service Provider, and the Service Provider keeps track of all the nonces used to prevent them from being used a second time. Since the nonce value is included in the signature, it cannot be changed by an attacker without knowing the shared secret.
Using nonces can be very costly for Service Providers as they demand persistent storage of all nonce values received, ever. To make implementations easier, OAuth adds a timestamp value to each request which allows the Service Provider to only keep nonce values for a limited time. When a request comes in with a timestamp that is older than the retained time frame, it is rejected as the Service Provider no longer has nonces from that time period. It is safe to assume that a request sent after the allowed time limit is a replay attack. OAuth provides a general mechanism for implementing timestamps but leaves the actual implementation up to each Service Provider (an area many believe should be revisited by the specification). From a security standpoint, the real nonce is the combination of the timestamp value and nonce string. Only together they provide a perpetual unique value that can never be used again by an attacker.
我感到困惑的原因是,如果 Nonce 只使用一次,为什么服务提供商会根据时间戳拒绝? “服务提供商不再有那个时间段的随机数”让我感到困惑,听起来好像随机数可以重用,只要它在上次使用的 30 秒内。
那么有人可以帮我解决这个问题吗?如果随机数是一次性使用并且我没有将时间戳与我自己的系统时钟进行比较(因为这显然不可靠),那么时间戳有什么意义。时间戳仅彼此相关是有道理的,但对于唯一的随机数要求,它似乎无关紧要。
最佳答案
时间戳用于允许服务器优化其随机数存储。基本上,将读取的随机数视为时间戳和随机字符串的组合。但是通过拥有单独的时间戳组件,服务器可以使用较短的窗口(例如 15 分钟)实现基于时间的限制并限制其所需的存储量。如果没有时间戳,服务器将需要无限的存储空间来保存每个使用过的随机数。
假设您决定允许您的时钟与客户端的时钟之间存在最多 15 分钟的时差,并且正在跟踪数据库表中的 nonce 值。该表的唯一键将是“客户端标识符”、“访问 token ”、“随机数”和“时间戳”的组合。当一个新请求进来时,检查时间戳是否在您时钟的 15 分钟内,然后在您的表中查找该组合。如果找到,则拒绝调用,否则将其添加到您的表中并返回请求的资源。每次向表中添加新的随机数时,删除该“客户端标识符”和“访问 token ”组合的任何记录,其时间戳超过 15 分钟。
关于oauth - 如果 Nonce 只能使用一次,那么 OAuth 中的时间戳有什么意义?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6865690/