Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to generate OAuth client identifier and client secret?

I'm implementing an OAuth2 provider, and I would like to have an area somewhere in my web site where developers log on and register third party apps. But I'm having doubts on how to generate the apps's client identifier and client secret. Should they be unique random codes, or do they have to have some meaningful information to the client? I guess they could be random.

Well I've been looking for best practices on how to do this, but haven't found that much. So any answers will be appreciated.

PD: Im developing on .NET MVC3 with a library called DotNetOpenAuth.

like image 528
Daniel Avatar asked Jan 20 '12 20:01

Daniel


2 Answers

The client identifier can be anything you want. It can be their choice or any random string.

The client secret should be a cryptographically strong random string. Here is how you can generate one:

RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider();
byte[] buffer = new byte[length];
cryptoRandomDataGenerator.GetBytes(buffer);
string uniq = Convert.ToBase64String(buffer);
return uniq;
like image 118
Andrew Arnott Avatar answered Oct 23 '22 18:10

Andrew Arnott


The specs are not clear about how you should generate them, but they say that you they should be random strings and unique.

In the section #2.2, about the client identifier:

The authorization server issues the registered client a client identifier - a unique string representing the registration information provided by the client.

like image 41
Felipe Elias Philipp Avatar answered Oct 23 '22 17:10

Felipe Elias Philipp