Is oauth2 insecure?

Question

I am implementing an oauth2 solution for an API i've created and i'm struggling with the potential insecurites (or my understanding at least).

Is it correct that only a single token is generated and used as authentication credentials for an endpoint request. What's stopping a potential brute force attack where an attacker simply submits tokens to the API in the hope that one will be valid and in use?

I've probably misunderstood something but i can't get for the life in me what it is.

Answer 1

Tokens should be difficult to imagine of course. They should not be simple sequential integers for example. There is also no limit on the token length. There are basically two options:

1) build a long token encrypted using your own key (note: it does not have to be long, but it will since cryptography will make it long implicitly). You can check on return the token is really yours because you're the only one that can encrypt and decrypt these tokens.

2) build tokens that are also stored in your database, and are reasonably difficult to create, so you will check the tokens exists in your database.

You can also mix the two approaches. You should also add some expiration time to the tokens (either embedded in it in the 1st case, or aside the token in the database in the 2nd case).

Answer 2

One of the most vulnerable grant types in OAuth 2.0 for Brute Force Attack is Resource Owner Password Credentials type. In such a case, hacker has access to client credentials (clientId and password) and he/she only requires resource owner (user) credentials (username and password). There is an authentication implementation model described in Java - Spring Security here that would shed some light to avoid this issue.