short auth code from authorize request

Not applicable

Hi,

OAuthV2 policy is generating very short auth code for the /authorize call that I have developed. Is there any specific configuration that I can make to keep it longer (random) string to avoid brute force attacks. ?

1 2 303
2 REPLIES 2

Hi @Ravi Shah,

I don't think there is any way to configure the authorization code length. Certainly not in Public Cloud. Maybe there's a config for Private Cloud, but it's not documented as far as I can tell.

On the other hand (anyone, please correct me if I'm wrong), I don't think the auth code is a value that you can guess the way you can with a static password. Auth code is generated once, and can only be used once. And it is related to data that's specific to the token request, including client id/secret and callback url, all of which must be valid before a token can be issued.

Not applicable

Just to add @wwitman point, this is not configurable in public cloud. However, in private cloud, this is configurable as part of keymanagement.properties file.

File Path: /opt/apigee4/conf/apigee/message-processor Property: oauth_auth_code_length