Best practices for generating and storing authorization codes and access tokens in OAuth server

Question

I've recently implemented an OAuth server functionality to our service. I've consulted OAuth 2.0 Threat Model and Security Considerations and addressed most of the concerns. I am curious about any best practices for generating authorization code and access_token.

Our backend is written in Node.js, so I am using uuid v4 for both codes and access tokens. Historically, I've seen code's to be shorter than uuid v4, around 6-8 characters long. And recently, I've seen tokens in Slack API be likely something else.

Now, I know uuid is considered to be unguessable, we also use a code only one time, and the code is short-lived. Is there anything else that can improve the quality (or unguessability) of the codes and access tokens?

Additionally, does it make sense to hash the codes and access tokens inside database? What is the optimal hash function for it? Right now we use sha256 in similar places.

score 0 · Accepted Answer · answered Nov 05 '20 at 14:32

So I've been advised that UUID is not considered to be secure enough, although practically it should be.

So in Node/JS world it's better to use secure module instead of uuid.v4(). More specifically:

crypto.randomBytes(32).toString('hex')

But this is a general discussion about UUID, not sure if there are extra requirements for OAuth stuff. I wouldn't say so.

Best practices for generating and storing authorization codes and access tokens in OAuth server

1 Answers1