# OAuth2令牌重用检测到：同一授权码被多次使用

- **ID:** `security/oauth2-token-reuse-detection`
- **领域:** security
- **类别:** auth_error
- **错误码:** `OAuth2-409`
- **验证级别:** ai_generated
- **修复率:** 93%

## 根因

一个OAuth2授权码被多次用于请求令牌，表明存在潜在的重放攻击，其中代码被拦截并重用。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OAuth2 2.0 | active | — | — |
| Spring Authorization Server 1.1 | active | — | — |
| Keycloak 22.0 | active | — | — |
| Okta 2023.08 | active | — | — |

## 解决方案

1. ```
   Implement strict one-time use for authorization codes: after a code is redeemed, mark it as used in the database and reject any subsequent requests with the same code. Example: `UPDATE codes SET used=true WHERE code=? AND used=false`
   ```
2. ```
   Use Proof Key for Code Exchange (PKCE) to bind the authorization code to a client-generated verifier, preventing reuse even if the code is intercepted. For mobile apps, always use S256 challenge method.
   ```

## 无效尝试

- **** — Increasing the authorization code expiration time to reduce user friction makes the window for reuse attacks larger, worsening the security issue. (60% 失败率)
- **** — Simply ignoring the error and allowing the second request to succeed breaks the OAuth2 spec and enables token theft. (80% 失败率)
- **** — Some try to use a different code for each request by generating new codes, but this doesn't address the fact that the original code was compromised. (20% 失败率)