I am implementing the OAuth 2.0 provider server using Apache Oltu framework, looking for some idea on how to generate the access token and secret tokens in java. Please advise.
Asked
Active
Viewed 2.0k times
1 Answers
17
OAuth 2.0 specification doesn't tell anything about how to generate token and secret token. Thus it is up to you whether you use some existing/anchor data to generate tokens or you want to use random sequence in order to generate tokens. The only difference is that if you use presumably known data (e.g. user data, such as username, creation date plus etc.) you can restore tokens any time you need that. If you use random sequence of data, then you cannot restore tokens once they are lost.
In other words, RFC doesn't restrict you on generation process.
I would probably use string concatenation of User Details data plus some random data, then do Base64 encoding.
String keySource = username + creationDate + random;
byte [] tokenByte = new Base64(true).encodeBase64(keySource.getBytes());
String token = new String(tokenByte);
-
1thanks for the suggestion, my requirement is to have a self contained token containing information like client id,app id etc and have a secret token which can be used to decrypt the issued token and get the information in the token. suggest me some way to accomplish that. – willsteel Jun 17 '13 at 09:50
-
1Then you can create the token which is client id, app id etc. Generate secret token and store it in DB. And use DES algorithm to encrypt/decrypt the issued token with the secret token. This is the example on how to use DES is java http://java-espresso.blogspot.com/2011/09/des-algorithm-code-in-java.html – Sqeezer Jun 17 '13 at 10:14
-
Thank you that's exactly what i was looking for,can you suggest some of the other algorithms which are more secure than DES and can be used for my requirment? – willsteel Jun 17 '13 at 10:39
-
1AES is more secure. It uses longer keys for encoding/decoding. Usage is quite similar to DES, the only difference is algorithm name. The example of usage you can find here http://www.code2learn.com/2011/06/encryption-and-decryption-of-data-using.html – Sqeezer Jun 17 '13 at 11:08
-
See ciphers comparison here http://www.javamex.com/tutorials/cryptography/ciphers.shtml – Sqeezer Jun 17 '13 at 11:11
-
Hey facing a issue the tokens i am generating through DES contain characters like +,= which are causing issue since i pass the tokens as query parameters to the client. Any way to generate only alphanumeric tokens? – willsteel Jun 18 '13 at 11:12
-
Before passing a query parameter use URLEncode.encode(param, "UTF-8") to encode the parameter. Decoding can be done using URLDecode class. – Sqeezer Jun 18 '13 at 12:05
-
I tried that actually but when i do that the client would get the encoded token and he cant directly use that token from url he needs to decode it first, just wanted to avoid that.Also the tokens generated by facebook,linkedin or twitter are not url encoded so clients can directly use the token from the url. – willsteel Jun 18 '13 at 14:18
-
-
Sorry didnt mention that, tried that as well base64 encoder generates string with = in it which again gets encoded in url. – willsteel Jun 19 '13 at 06:57
-
You can remove '=' char at the end, this is just a padding. Then if the length is not multiply 4 you add it, for example, if you want to decipher the token. See here about ending '=' http://stackoverflow.com/questions/4492426/remove-trailing-when-base64-encoding – Sqeezer Jun 19 '13 at 07:05
-
I've just found that you can generate URL safe encoded sequence by creating constructor as follows new Base64(true). See here http://commons.apache.org/proper/commons-codec/apidocs/org/apache/commons/codec/binary/Base64.html – Sqeezer Jun 19 '13 at 07:22
-