Layer7 API Management

Expand all | Collapse all

Encryption used in OAuth toolkit for storing access tokens and client secret

  • 1.  Encryption used in OAuth toolkit for storing access tokens and client secret

    Posted Feb 24, 2016 02:58 PM

    What is the encryption algorithm used to store the tokens in otk DB? Also, what is the algorithm used to generate the access tokens and client_secret? We need to present these answers to our security team, so please help me if you know the details.



  • 2.  Re: Encryption used in OAuth toolkit for storing access tokens and client secret
    Best Answer

    Posted Aug 30, 2016 03:33 PM

    Hi!

     

    By default the values are stored in the OTK DB plain text. OTK assumes that the DB is hosted in a secure environment. Token and client_secret's are expressed as a UUID by default.

     

    However, it is possible to hash those values before hey are persisted. There are dedicated policies to persist and retrieve data from the OTK DB. If the values are hashed before they are persisted they also have to be hashed if they are retrieved for validation purposes. That kind of customization will take little time only. To find these policies open policy manager and look into "OTK-[version]/Policy Fragments/persistence/token" and "OTK-[version]/Policy Fragments/persistence/client". Encryption could also be implemented but verify that that is really required before doing that. It causes more effort since a secret has to be maintained.

     

    There is also a dedicated policy that generates the token/ client_secrets. If UUID's are not satisfactory the method of generation can be changed to your needs. To find that policy open policy manager and look into "OTK-[version]/configuration/OTK Generate OAuth Token" (it also generates client_secret's).

     

     

    Let us know if this helps,

    Sascha