I am implementing the OAuth 2.0 provider server using Apache Oltu framework, looking for some idea on how to generate the access token and secret tokens in java. Please advise.
OAuth 2.0 Generating Token and Secret Token [closed]
Asked Answered
Follow Oatuh documentation, google it and help yourself! –
Distraction
OAuth 2.0 specification doesn't tell anything about how to generate token and secret token. Thus it is up to you whether you use some existing/anchor data to generate tokens or you want to use random sequence in order to generate tokens. The only difference is that if you use presumably known data (e.g. user data, such as username, creation date plus etc.) you can restore tokens any time you need that. If you use random sequence of data, then you cannot restore tokens once they are lost.
In other words, RFC doesn't restrict you on generation process.
I would probably use string concatenation of User Details data plus some random data, then do Base64 encoding.
String keySource = username + creationDate + random;
byte [] tokenByte = new Base64(true).encodeBase64(keySource.getBytes());
String token = new String(tokenByte);
thanks for the suggestion, my requirement is to have a self contained token containing information like client id,app id etc and have a secret token which can be used to decrypt the issued token and get the information in the token. suggest me some way to accomplish that. –
Murk
Then you can create the token which is client id, app id etc. Generate secret token and store it in DB. And use DES algorithm to encrypt/decrypt the issued token with the secret token. This is the example on how to use DES is java java-espresso.blogspot.com/2011/09/… –
Camillacamille
Thank you that's exactly what i was looking for,can you suggest some of the other algorithms which are more secure than DES and can be used for my requirment? –
Murk
AES is more secure. It uses longer keys for encoding/decoding. Usage is quite similar to DES, the only difference is algorithm name. The example of usage you can find here code2learn.com/2011/06/… –
Camillacamille
See ciphers comparison here javamex.com/tutorials/cryptography/ciphers.shtml –
Camillacamille
Hey facing a issue the tokens i am generating through DES contain characters like +,= which are causing issue since i pass the tokens as query parameters to the client. Any way to generate only alphanumeric tokens? –
Murk
Before passing a query parameter use URLEncode.encode(param, "UTF-8") to encode the parameter. Decoding can be done using URLDecode class. –
Camillacamille
I tried that actually but when i do that the client would get the encoded token and he cant directly use that token from url he needs to decode it first, just wanted to avoid that.Also the tokens generated by facebook,linkedin or twitter are not url encoded so clients can directly use the token from the url. –
Murk
Do Base64 encode on encrypted token, please. –
Camillacamille
Sorry didnt mention that, tried that as well base64 encoder generates string with = in it which again gets encoded in url. –
Murk
You can remove '=' char at the end, this is just a padding. Then if the length is not multiply 4 you add it, for example, if you want to decipher the token. See here about ending '=' #4492926 –
Camillacamille
I've just found that you can generate URL safe encoded sequence by creating constructor as follows new Base64(true). See here commons.apache.org/proper/commons-codec/apidocs/org/apache/… –
Camillacamille
If the answer have helped you, vote for it at least please. –
Camillacamille
© 2022 - 2024 — McMap. All rights reserved.