When working with developers on authentication and authorization, I find that the nonce and state parameters are two of the more difficult parts of the OAuth 2.0 and OpenID Connect specifications to understand. It’s clear from the specs that these parameters are for security, but what specific attacks do these parameters help to prevent? Well, these two parameters work in tandem to thwart replay attacks and cross-site request forgery (CSRF). Let’s take a look at a few examples of replay attacks against an OAuth or OpenID Connect client, and then go over some mitigation techniques using a nonce and a state.
This article assumes that OAuth’s Authorization Code Flow is being used, and that the reader is familiar with OAuth 2.0 or OpenID Connect (OIDC). It’s worth pointing out that OAuth’s Implicit Flow is deprecated due to a number of well-known attacks, not all of which have sufficient mitigation strategies. Also, the techniques described herein have applications outside of authorization and authentication. For example, a nonce and state can be used to harden the security of a password-reset process.
Lastly, a few terms:
- Resource Owner: The entity, probably a human or service account, that is using your Client application and owns some data, like photos or messages. In this article, this is generally referred to as the user.