I'm implementing an OAuth2 provider, and I would like to have an area somewhere in my web site where developers log on and register third party apps. But I'm having doubts on how to generate the apps's client identifier and client secret. Should they be unique random codes, or do they have to have some meaningful information to the client? I guess they could be random.
Well I've been looking for best practices on how to do this, but haven't found that much. So any answers will be appreciated.
PD: Im developing on .NET MVC3 with a library called DotNetOpenAuth.
The client identifier can be anything you want. It can be their choice or any random string.
The client secret should be a cryptographically strong random string. Here is how you can generate one:
RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider();
byte[] buffer = new byte[length];
cryptoRandomDataGenerator.GetBytes(buffer);
string uniq = Convert.ToBase64String(buffer);
return uniq;
The specs are not clear about how you should generate them, but they say that you they should be random strings and unique.
In the section #2.2, about the client identifier:
The authorization server issues the registered client a client identifier - a unique string representing the registration information provided by the client.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With