OAuth2-409
security
auth_error
ai_generated
true
OAuth2 token reuse detected: same authorization code used more than once
ID: security/oauth2-token-reuse-detection
93%Fix Rate
88%Confidence
1Evidence
2024-01-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| OAuth2 2.0 | active | — | — | — |
| Spring Authorization Server 1.1 | active | — | — | — |
| Keycloak 22.0 | active | — | — | — |
| Okta 2023.08 | active | — | — | — |
Root Cause
An OAuth2 authorization code was used to request a token more than once, indicating a potential replay attack where the code was intercepted and reused.
generic中文
一个OAuth2授权码被多次用于请求令牌,表明存在潜在的重放攻击,其中代码被拦截并重用。
Official Documentation
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2Workarounds
-
95% success Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`
Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`
-
90% success Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.
Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.
中文步骤
Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`
Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.
Dead Ends
Common approaches that don't work:
-
60% fail
Increasing the authorization code expiration time to reduce user friction makes the window for reuse attacks larger, worsening the security issue.
-
80% fail
Simply ignoring the error and allowing the second request to succeed breaks the OAuth2 spec and enables token theft.
-
20% fail
Some try to use a different code for each request by generating new codes, but this doesn't address the fact that the original code was compromised.