Best practices for generating and storing authorization codes and access tokens in OAuth server

All we need is an easy explanation of the problem, so here it is.

I’ve recently implemented an OAuth server functionality to our service. I’ve consulted OAuth 2.0 Threat Model and Security Considerations and addressed most of the concerns. I am curious about any best practices for generating authorization code and access_token.

Our backend is written in Node.js, so I am using uuid v4 for both codes and access tokens. Historically, I’ve seen code’s to be shorter than uuid v4, around 6-8 characters long. And recently, I’ve seen tokens in Slack API be likely something else.

Now, I know uuid is considered to be unguessable, we also use a code only one time, and the code is short-lived. Is there anything else that can improve the quality (or unguessability) of the codes and access tokens?

Additionally, does it make sense to hash the codes and access tokens inside database? What is the optimal hash function for it? Right now we use sha256 in similar places.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

So I’ve been advised that UUID is not considered to be secure enough, although practically it should be.

So in Node/JS world it’s better to use secure module instead of uuid.v4(). More specifically:

crypto.randomBytes(32).toString('hex')

But this is a general discussion about UUID, not sure if there are extra requirements for OAuth stuff. I wouldn’t say so.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

Leave a Reply