问题
Right, I know how oauth works, but I don't know why we need oauth_nonce.
The specification says timestamp / nonce has to be unique to solve replay attacks, but what about if consumer_key is unique enough?
If consumer_key is not unique, how does it find corresponding oauth_nonce?
回答1:
Keys are unique but don't change often. A nonce on the other hand needs to be unique per request.
Consider the following scenario. Prerequisites are: An attacker can spy on your communication but does not know any secrets. If there is no nonce, he can do a replay attack: He can simply duplicate and resend any of your previous requests, because he knows the requests you already send are valid.
A nonce prevents this, as the server checks all recently used nonces (there is a time limit) and does not accept any nonce twice.
来源:https://stackoverflow.com/questions/23088594/do-we-really-need-oauth-nonce