{ "id": "security/oauth2-token-reuse-detection", "signature": "OAuth2 token reuse detected: same authorization code used more than once", "signature_zh": "OAuth2令牌重用检测到:同一授权码被多次使用", "regex": "authorization code.*already used|code.*reuse|token.*already redeemed|duplicate authorization code", "domain": "security", "category": "auth_error", "subcategory": null, "root_cause": "An OAuth2 authorization code was used to request a token more than once, indicating a potential replay attack where the code was intercepted and reused.", "root_cause_type": "generic", "root_cause_zh": "一个OAuth2授权码被多次用于请求令牌,表明存在潜在的重放攻击,其中代码被拦截并重用。", "versions": [ { "version": "OAuth2 2.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Spring Authorization Server 1.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Keycloak 22.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Okta 2023.08", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Increasing the authorization code expiration time to reduce user friction makes the window for reuse attacks larger, worsening the security issue.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "Simply ignoring the error and allowing the second request to succeed breaks the OAuth2 spec and enables token theft.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "Some try to use a different code for each request by generating new codes, but this doesn't address the fact that the original code was compromised.", "fail_rate": 0.2, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`", "success_rate": 0.95, "how": "Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`", "condition": "", "sources": [] }, { "action": "Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.", "success_rate": 0.9, "how": "Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`", "Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2", "official_doc_section": null, "error_code": "OAuth2-409", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.93, "resolvable": "true", "first_seen": "2024-01-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }