Consumer Key and Secret for OpenID Connect

Not applicable

Hi,

In this RFC 16.19, it says

"In Section 10.1 and Section 10.2, keys are derived from the client_secret value. Thus, when used with symmetric signing or encryption operations, client_secret values MUST contain sufficient entropy to generate cryptographically strong keys. Also, client_secret values MUST also contain at least the minimum of number of octets required for MAC keys for the particular algorithm used. So for instance, for HS256, the client_secret value MUST contain at least 32 octets (and almost certainly SHOULD contain more, since client_secret values are likely to use a restricted alphabet)."

So what are the entropy of the consumer key and secret ? Are they satisfied this requirement ?

Solved Solved
1 2 650
1 ACCEPTED SOLUTION

A couple things.

First, the section you cited states it clearly, but your question didn't call it out, so I will repeat it here: the requirement for entropy in the consumer secret applies only if the encrypting party uses Symmetric Encryption. In most cases people employing OpenID Connect are using Asymmetric Encryption.

Second, you asked about the entropy of the consumer key and secret. I think you are not interested in the entropy of the consumer key. The information of interest is the entropy in the consumer secret , since that is the source of entropy for the encryption key used in the HMAC.

The entropy of the consumer secret is up to you. By default the consumer secret in Apigee Edge is 16 characters, in a restricted alphabet (ASCII alphanumerics: A-Z, a-z, 0-9), which is not enough entropy to support a 256-bit HMAC (HS256). Claude Shannon tells us that the entropy of a single character in the alphabet of "ASCII alphanumeric" is log2(62) = 5.95 . The total entropy of a secret of 16-characters from that alphabet is 16 * log2(62) = 95 bits, not sufficient!

Given an alphabet of ASCII alphanumeric, to get 256 bits of entropy, you will need a consumer secret of 256 / log2(62) = 43 characters.

How can you get secrets of a sufficient length? Two ways.

  1. The Apigee Edge administrator can import specific keys & secrets of greater length, up to 1024 characters, which will give you the entropy you need for this purpose. See here. You will have to insure that the secret you import is sufficiently random to support your needs.
  2. Also it is possible to configure an Apigee Edge organization to generate longer consumer secrets, via an administrative API call.

    For example, to generate secrets that have a length of 54 characters in the restricted alphabet:

    POST $mgmtserver/v1/o/$ORG \
    -H 'content-type: application/json' \
    -d '{
      "properties" : {
        "property" : [ {
          "name" : "keymanagement.consumer.secret.length",
          "value" : "54"
        } ]
      }
     }'
    

    After you invoke this call, all secrets generated by Apigee Edge in the organization will have a secret that is 54 characters, selected from the ASCII alphanumeric alphabet: A-Z, a-z and 0-9. Existing secrets will be unchanged, of course. Read more about this API call here.

View solution in original post

2 REPLIES 2

A couple things.

First, the section you cited states it clearly, but your question didn't call it out, so I will repeat it here: the requirement for entropy in the consumer secret applies only if the encrypting party uses Symmetric Encryption. In most cases people employing OpenID Connect are using Asymmetric Encryption.

Second, you asked about the entropy of the consumer key and secret. I think you are not interested in the entropy of the consumer key. The information of interest is the entropy in the consumer secret , since that is the source of entropy for the encryption key used in the HMAC.

The entropy of the consumer secret is up to you. By default the consumer secret in Apigee Edge is 16 characters, in a restricted alphabet (ASCII alphanumerics: A-Z, a-z, 0-9), which is not enough entropy to support a 256-bit HMAC (HS256). Claude Shannon tells us that the entropy of a single character in the alphabet of "ASCII alphanumeric" is log2(62) = 5.95 . The total entropy of a secret of 16-characters from that alphabet is 16 * log2(62) = 95 bits, not sufficient!

Given an alphabet of ASCII alphanumeric, to get 256 bits of entropy, you will need a consumer secret of 256 / log2(62) = 43 characters.

How can you get secrets of a sufficient length? Two ways.

  1. The Apigee Edge administrator can import specific keys & secrets of greater length, up to 1024 characters, which will give you the entropy you need for this purpose. See here. You will have to insure that the secret you import is sufficiently random to support your needs.
  2. Also it is possible to configure an Apigee Edge organization to generate longer consumer secrets, via an administrative API call.

    For example, to generate secrets that have a length of 54 characters in the restricted alphabet:

    POST $mgmtserver/v1/o/$ORG \
    -H 'content-type: application/json' \
    -d '{
      "properties" : {
        "property" : [ {
          "name" : "keymanagement.consumer.secret.length",
          "value" : "54"
        } ]
      }
     }'
    

    After you invoke this call, all secrets generated by Apigee Edge in the organization will have a secret that is 54 characters, selected from the ASCII alphanumeric alphabet: A-Z, a-z and 0-9. Existing secrets will be unchanged, of course. Read more about this API call here.

Thank you for replying and sorry my rough question.