11

Right, I know how oauth works, but I don't know why we need oauth_nonce.

The specification says timestamp / nonce has to be unique to solve replay attacks, but what about if consumer_key is unique enough?

If consumer_key is not unique, how does it find corresponding oauth_nonce?

Tom Wright
  • 11,278
  • 15
  • 74
  • 148
user2234995
  • 285
  • 3
  • 10

1 Answers1

14

Keys are unique but don't change often. A nonce on the other hand needs to be unique per request.

Consider the following scenario. Prerequisites are: An attacker can spy on your communication but does not know any secrets. If there is no nonce, he can do a replay attack: He can simply duplicate and resend any of your previous requests, because he knows the requests you already send are valid.

A nonce prevents this, as the server checks all recently used nonces (there is a time limit) and does not accept any nonce twice.

Community
  • 1
  • 1
kapex
  • 28,903
  • 6
  • 107
  • 121
  • 1
    Thanks for your reply! Now i know it. I can not use key rather than nonce to identify the consumer because the consumer may request again, if use nonce we can use a unique nonce to avoid replay attack, but if i record consumer_key instead of nonce, it can not even do a normal request because i already record it consumer_key as already visited – user2234995 Apr 16 '14 at 02:20