Reputation: 111
Specific algorithm in oauth2
I need to realize SSO system using Oauth2. I understand steps in oauth2, but I don't know what's the Specific algorithm in generating an authorize code or an access_token,maybe Hash or something.And I can't find it on the internet
Upvotes: 2
Views: 4470
Answers (5)
Reputation: 1
OAuth2 does not define a specific method to generate or protect tokens (authorization code, access/refresh token). You can implement any strong symmetric cryptographic algorithm, so that you can protect or encrypt the token you are sending.
- If you don't want to check token against database you should have this strong encryption.
- If it is fine to check token against database you can use a key-value pair, so that you provide key to user and value is stored only in database.
Upvotes: 0
Reputation: 3784
access_token contains the claims. So do authentication of user/client and other validations as mentioned in oauth2 spec. Then if you consider JWT for access_token format then you can use jose4j api for access_token creation which supports JWE and JWS as well.
Upvotes: 0
Reputation: 1661
OAuth2 spec doesn't specify any algorithm or way to generate token value. You can use whatever algorithm, even serial number starts from 1, to generate those token values. You can use more complicated random number generation, encryption, crypto algorithm. Most of them are pretty quick to generate key value, but you need to check how fast current authentication server can generate a key and if it meets your service's requirement.
For example, for token generation in Spring Security, DefaultTokenServices generates access token and refresh token using random UUID.
Upvotes: 1
Reputation: 291
Unless you want to implement your own Oauth generator, you can use existing providers like WSO2 API Manager for supporting your system. It is well documented and has many REST APIs for this.
Upvotes: 0
Reputation: 1454
OAuth 2 specs:
Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements.
The format of the tokens (and authorization codes) are not defined by the specs, so there is no specific algorithm.
The specs do require:
The authorization server MUST ensure that access tokens cannot be
generated, modified, or guessed to produce valid access tokens by
unauthorized parties.
So, for instance a random UUID makes a fine token. You could also consider JWT tokens.
Upvotes: 2
Related Questions
- how to extract access_token from oauth2 flow in spring boot client
- Verify Oauth2 authorization token to see if issued for specific client
- Using Google OAuth2 with Flask
- OAuth2 and SSO with angular-oauth2-oidc won't retrieve access token
- Django REST Framework - OAuth2 Consumer API from external provider
- OAuth SSO login with Google OAUTH2 stopped working
- Spring boot 2 + Oauth2 - Securing the Rest Calls in Microservices
- Is Sina Weibo's "OAuth2" really OAuth2?