![]() |
|
|
|
|
Change By:
|
Ivo Ladage - van Doorn
(22/May/12 11:45 AM)
|
|
Summary:
|
Design flaw in
OAuth server nonce validator
fails on validation of the same request within 1 millisecond
|
|
Description:
|
The nonce validator of the Amdatu OAuth server
contains a design flaw
fails upon the second validation of the same request within the same millisecond
. To verify if a nonce has already been used, it tries to persist the nonce for the 'now' timestamp. If the nonce store already contains a nonce for this timestamp, validation fails.
This is not what it should do, there are two issues:
- Calling the validate on the same request twice should have the same result
-
The nonce should be associated with the timestamp of the request, not with the 'now' timestamp.
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
