Skip to content

Commit 8b4e461

Browse files
sbkesbke
authored
Adjustment to generate longer codes
RandomValueStringGenerator default constructor creates a code of length six only. The RFC 6819 (OAuth 2.0 Threat Model and Security Considerations) suggests (5.1.4.2.2. Use High Entropy for Secrets) that secrets that aren't used by humans (e.g. client secrets or token handles) have a reasonable level of enthropy. They propose a token lengths of at least 128 bits. Since the RandomValueStringGenerator only uses case sensitive alpha numeric symbols, 22 symbols are needed to achieve an enthropy >=128 bits.
1 parent ef01d30 commit 8b4e461

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2AuthorizationCodeService.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ public class DefaultOAuth2AuthorizationCodeService implements AuthorizationCodeS
5757

5858
private int authCodeExpirationSeconds = 60 * 5; // expire in 5 minutes by default
5959

60-
private RandomValueStringGenerator generator = new RandomValueStringGenerator();
60+
private RandomValueStringGenerator generator = new RandomValueStringGenerator(22);
6161

6262
/**
6363
* Generate a random authorization code and create an AuthorizationCodeEntity,

0 commit comments

Comments
 (0)