HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavaModerate

OAuth Provider token generation

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
tokenoauthgenerationprovider

Problem

I'm currently creating an OAuth provider in Java using Jersey. To the best of my knowledge Jersey does not provide a method to create oauth tokens so I'm creating my own.

For those unfamiliar with OAuth, the tokens will be used in a somewhat similar fashion to public/private keys to sign and verify all requests to the server.

A String is formed using a token issued by the server (me) and then encrypted with that token secret (which only the server and the application know). The signature is then sent to the server and verified.

Each token must be:

  • non-sequential



  • non-guessable



  • unique (the tokens will be stored in a database so uniqueness can be verified)



This is the code I'm thinking of using to generate the keys:

public String generateToken() {
    SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    secureRandom.setSeed(secureRandom.generateSeed(128));
    return new String(digest.digest((secureRandom.nextLong() + "").getBytes()));
}


I'm generating a Long using Java's SecureRandom with SHA-1-PRNG.
Using a 128 bit seed again generated by SecureRandom.

I'm then using SHA-256 to hash the resulting Long to get a 32 character Unicode String as the token.

  • Is anyone able to see any issues with this style of token generation?



  • If multiple tokens were requested in a row, is there a chance of predicting the next one?



  • I assume that 32 characters is more than enough for this kind of request signing.

Solution

Each token must be;



  • non-sequential



  • non-guessable



  • unique




Without reading into any of the OAuth specifics, if the above is the only criteria to which you must adhere, then I would suggest what you're doing is quite a huge effort to achieve what's already been done with GUID (Globally Unique Identifier).

Java has an implementation of this, a class named UUID:


...that represents an immutable
universally unique identifier (UUID).
A UUID represents a 128-bit value.

Conveniently, a GUID is also a 32 character string.

Some code I found to utilise this using Java:

UUID uuid = UUID.randomUUID();
String randomUUIDString = uuid.toString();


Note that I'm not really qualified to be an authority on this where Java is concerned, though the topic I'm concerning myself with here is very transferable, you will need to determine whether A) a GUID satisfies all criteria of an OAuth token, and B) that the Java implementation works as the rest of the world expects - I can't vouch for that.

Code Snippets

UUID uuid = UUID.randomUUID();
String randomUUIDString = uuid.toString();

Context

StackExchange Code Review Q#1159, answer score: 14

Revisions (0)

No revisions yet.