A Method for Generating Un-Guessable Client Identifiers

Question

I am implementing an OAuth 2.0 authorisation server. As part of client registration process I want to generate the unique client identifier for this client.

The method I have chosen is to take all the client registration information and hash it using SHA-512. The client information includes:

client password (masked using bcrypt)
client type
client name
client web site uri
application name
url for logo image
client description
redirect uri
legal terms and conditions acceptance flag
registration active flag
create timestamp // when the client registered
update timestamp
deactivated timestamp

My question is whether it is safe to include the encrypted password when producing the SHA digest and whether this is a secure way to produce a unique client identifier.

That was my first method. If that is good enough then great. I did have a feeling I was over complicating things — M.K., Nov 09 '18 at 13:47
Security paranoia set in :) - I'll go back to java.util.UUID.randomString() and hash that. — M.K., Nov 09 '18 at 13:49

score 1 · Answer 1 · answered Nov 09 '18 at 20:09

OAuth documentation states that client identifiers are public and simply need to be unique for all clients of that authorization server. They also advise that the ID not be easily guessable to decrease phishing attacks.

The method you proposed is valid, but doesn't provide any additional security over a randomly generated number.

The client secret is the part that has to be cryptogrically secure.

A Method for Generating Un-Guessable Client Identifiers

1 Answers1