Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-42893

OAuth plugin returns oauth_problem="nonce_used" to consumer


    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 6.1.20 EE GA2, 6.1.30 EE GA3, 6.1.X EE
    • Fix Version/s: 6.1.X EE
    • Component/s: Security Vulnerability
    • Labels:


      To keep things simple I am trying to invoke a service which requires no parameters, because these would complicate the request signing.

      I am sending requests to:

      With headers like the following:

      Authorization: OAuth realm="http%3A%2F%2F127.0.0.1", oauth_consumer_key="788f3eac-52bd-4f08-9116-4fb8736bc001", oauth_token="7273397d78a8aeba92dab3887d9271ed", oauth_signature_method="HMAC-SHA1", oauth_signature="NN%2BCuYEDJAXM2ebi5rWjKUw0g1A%3D", oauth_timestamp="1373238929", oauth_nonce="9ece7ca255aa3e66bb3ac75f160dff646f28b829", oauth_version="1.0"

      That's the correct parameters for the header isn't it?

      The response I am getting is:

      WWW-Authenticate: OAuth realm="http%3A%2F%2F127.0.0.1", oauth_problem="nonce_used"

      This is very odd because I am certain that the nonce I am sending has not been sent before (I've intercepted all HTTP traffic to verify this). I've restarted Liferay many times to clear it's memory too (just to be on the extra safe side). Are you aware of any issues with the OAuth implementation for resource URLs in regards to nonce? I could not find any such issues logged on JIRA.

      Any thoughts you can offer would be much appreciated!


          Issue Links



              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created:
                  Days since last comment:
                  6 years, 2 days ago


                  Version Package
                  6.1.X EE