OAuth2-409
security
auth_error
ai_generated
true
OAuth2令牌重用检测到:同一授权码被多次使用
OAuth2 token reuse detected: same authorization code used more than once
ID: security/oauth2-token-reuse-detection
93%修复率
88%置信度
1证据数
2024-01-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth2 2.0 | active | — | — | — |
| Spring Authorization Server 1.1 | active | — | — | — |
| Keycloak 22.0 | active | — | — | — |
| Okta 2023.08 | active | — | — | — |
根因分析
一个OAuth2授权码被多次用于请求令牌,表明存在潜在的重放攻击,其中代码被拦截并重用。
English
An OAuth2 authorization code was used to request a token more than once, indicating a potential replay attack where the code was intercepted and reused.
官方文档
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2解决方案
-
Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`
-
Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.
无效尝试
常见但无效的做法:
-
60% 失败
Increasing the authorization code expiration time to reduce user friction makes the window for reuse attacks larger, worsening the security issue.
-
80% 失败
Simply ignoring the error and allowing the second request to succeed breaks the OAuth2 spec and enables token theft.
-
20% 失败
Some try to use a different code for each request by generating new codes, but this doesn't address the fact that the original code was compromised.