如何生成 OAuth 2 客户端 ID 和密钥 [英] How to generate OAuth 2 Client Id and Secret

问题描述

我想使用 .NET 生成客户端 ID 和客户端机密.我阅读了 OAuth 2 规范，例如那里没有指定客户端机密的大小.是否有使用 .NET 框架生成客户端 ID 和客户端密码的好习惯???

解决方案

As OAuth 2.0 授权框架的第 2.2 节 说:

<块引用>

授权服务器向注册的客户端发出一个客户端标识符 -- 代表注册的唯一字符串客户提供的信息.客户端标识符不是秘密;它向资源所有者公开，不得使用单独用于客户端身份验证.客户端标识符是唯一的授权服务器.

<块引用>

客户端标识符字符串大小由此未定义规格.客户应避免对标识符大小.授权服务器应该记录大小它发出的任何标识符.

所以你可以自己定义客户端标识符.这取决于你的选择.您可以使用 System.Guid 简单地生成一个，或者使用 uid + systemTime，您也可以对其进行散列、加密或其他任何您想要的.

但是客户端密钥应该是一个加密的强随机字符串.您可以像这样生成一个:

RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider();字节[]缓冲区=新字节[长度]；cryptoRandomDataGenerator.GetBytes(buffer);字符串 uniq = Convert.ToBase64String(buffer);返回 uniq；

你也可以使用加密散列函数()来散列UUID+SystemTime+somthingelse来自己实现.

如果您想了解更多实践，可以参考这里的一些开放实现.>

I want to generate client id and client secret using .NET. I read the OAuth 2 specification and for example the size of client secret is not specified there. Is there a good practice for generating client id and client secret using .NET framework???

解决方案

As section 2.2 of The OAuth 2.0 Authorization Framework says:

The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. The client identifier is unique to the authorization server.

The client identifier string size is left undefined by this specification. The client should avoid making assumptions about the identifier size. The authorization server SHOULD document the size of any identifier it issues.

So you can define the client identifier by yourself. It depends your choice. You can use System.Guid to generate one simply, or use uid + systemTime, also you can Hash it, encrypt it or anything you want else.

But the client secret should be a cryptographically strong random string. You can generate one like this:

RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider();
byte[] buffer = new byte[length];
cryptoRandomDataGenerator.GetBytes(buffer);
string uniq = Convert.ToBase64String(buffer);
return uniq;

Also you can use cryptographic hash functions() to hash UUID+SystemTime+somthingelse to implement it yourself.

If you want to know more practices, you can refer to some open implementations from here.

这篇关于如何生成 OAuth 2 客户端 ID 和密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！