Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect stale nonces #168

Open
Sean-Der opened this issue Sep 27, 2020 · 1 comment
Open

Detect stale nonces #168

Sean-Der opened this issue Sep 27, 2020 · 1 comment

Comments

@Sean-Der
Copy link
Member

Update buildNonce and authenticateRequest to generate and check the times on those.
@jech
Copy link
Member

jech commented Jan 27, 2021

That's debatable.

RFC 8489 merely says "See Section 5.4 of [RFC7616] for guidelines.", while RFC 7616 says

   the server is
   free to construct the nonce such that it MAY only be used from a
   particular client, for a particular resource, for a limited period of
   time or number of uses, or any other restrictions.  Doing so
   strengthens the protection provided against, for example, replay
   attacks (see Section 5.5).  However, it should be noted that the
   method chosen for generating and checking the nonce also has
   performance and resource implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jech @Sean-Der