What are the requirements of a nonce? <- Typically it is only required that a nonce is unique, however, in certain cases harsher requirements (such as randomness and unpredictability) are put.
The OAuth 1.0a specification states that:
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
Why does OAuth 1.0a require randomness?
Also I find it surprising that the spec says 'random' without explicitly requiring cryptographically secure randomness. What could be the benefit of a random, but not cryptographically secure random nonce? I suppose I should understand that the requirement of cryptographically secure randomness is implied here?
