Be very careful with UUIDs as secret tokens. UUIDs are designed to be unique, not necessarily unguessable.
Version 1 UUIDs (MAC address + timestamp) are predictable, thus unsuitable for access tokens. Version 4 UUIDs, which contain random bits, might be suitable, but be advised that they only contain 122 random bits. This technically violates the OAuth 2 core spec: RFC 6749 Section 10.10 > The probability of an attacker guessing generated tokens (and other > credentials not intended for handling by end-users) MUST be less than > or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). Andre On Wed, Nov 26, 2014 at 8:21 PM, Justin Richer <[email protected]> wrote: > Yes, they are very compatible. For OAuth's purposes, the uuid is a case > sensitive opaque string, so the fact that it could have a looser > interpretation with the same semantics is irrelevant. The stricter > interpretation rules the day, and importantly the client won't try to do > anything special with the value. > > > -- Justin > > / Sent from my phone / > > > -------- Original message -------- > From: HAMANO Tsukasa <[email protected]> > Date:11/26/2014 10:06 PM (GMT-05:00) > To: [email protected] > Cc: > Subject: [OAUTH-WG] access_token and UUID > > Hi, > > I have question about access_token generation. > Would it be possible to use access_token that generated as UUID? > It seems reasonable so UUID is regarded as safe ID generation > algorithm. And in fact such OAuth 2.0 implementations exists. > But there is a discrepancy between OAuth 2.0 spec and UUID spec around > letter case. > > RFC 6749 says: >> Unless otherwise noted, all the protocol parameter names and values >> are case sensitive. > >> access_token >> REQUIRED. The access token issued by the authorization server. > > RFC 4122 says: >> The hexadecimal values "a" through "f" are output as lower case >> characters and are case insensitive on input. > > I mean, access_token should be treated as case sensitive but UUID > should be treated as case insensitive. > What are your thoughts on that? > > Thank you. > > -- > Open Source Solution Technology Corporation > HAMANO Tsukasa <[email protected]> > fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55 > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
