我在 2.0 规范中的任何地方都没有看到它,OAuth 2 没有使用 nonce,如果没有,现在它是否可以防止重放攻击?
1.0 spec状态:
3.3. Nonce and Timestamp
The timestamp value MUST be a positive integer. Unless otherwise specified by the server's documentation, the timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
To avoid the need to retain an infinite number of nonce values for future checks, servers MAY choose to restrict the time period after which a request with an old timestamp is rejected. Note that this restriction implies a level of synchronization between the client's and server's clocks. Servers applying such a restriction MAY provide a way for the client to sync with the server's clock; alternatively, both systems could synchronize with a trusted time service. Details of clock synchronization strategies are beyond the scope of this specification.
最佳答案
这是在单独的规范中捕获的。见 OAuth 2.0 Threat Model and Security Considerations有关详细信息/答案:)
关于oauth-2.0 - OAuth 2 是否使用随机数?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/11837323/