yahya800 / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

The java library's timestamp validation requires synchronized clocks #186

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The net.oauth.SimpleOAuthValidator implementation compares a request's 
timestamp to the local system time (with a 5 minute tolerance window). This 
breaks communication between systems whose clocks are more than 5 minutes out 
of sync.

While this behavior is allowed by RFC-5849, it is not required and a better 
implementation might be to store the value of the most recent timestamp that 
was successfully used by a consumer and merely verify that the next request has 
a higher timestamp value, without ever comparing it to the local system time.

I realize I am not required to use the SimpleOAuthValidator class and I can 
implement my own class instead, but it'd be nice if this was changed in the 
library.

Original issue reported on code.google.com by erik.van...@gmail.com on 29 Sep 2010 at 12:35

GoogleCodeExporter commented 9 years ago
> a better implementation might be to store the value of the most recent 
timestamp that was successfully used by a consumer and merely verify that the 
next request has a higher timestamp value, without ever comparing it to the 
local system time.

Better yet: calculate the clock difference at the first successful request and 
take that into account during the validation of later requests.

Original comment by erik.van...@gmail.com on 29 Sep 2010 at 1:55

GoogleCodeExporter commented 9 years ago

Original comment by morten.f...@gmail.com on 29 Mar 2011 at 5:58