Solved: is there a possibility an attacker can reverse eng...

nathanaw · 11-11-2019 06:51 PM

Is there a possibility an attacker can reverse engineer the client ID/secret from the access token? How is the access token derived?

Nathan Aw

nicolastisseran

AFAIK, the access-token is randomly generated, there is no mathematical relation at all between tokens and client id/secret. The relation is stored is an Apigee DB.

So, there is no way to reverse engineer the client ID/secret unless you access directly to the DB.

Of course, it's an illegal access from outside. If not, then you have an important security breach.

View solution in original post

nicolastisseran

AFAIK, the access-token is randomly generated, there is no mathematical relation at all between tokens and client id/secret. The relation is stored is an Apigee DB.

So, there is no way to reverse engineer the client ID/secret unless you access directly to the DB.

Of course, it's an illegal access from outside. If not, then you have an important security breach.

dchiesa1

AFAIK, the access-token is randomly generated, there is no mathematical relation at all between tokens and client id/secret. The relation is stored is an Apigee DB.

Correct.

there is no way to reverse engineer the client ID/secret unless you access directly to the DB.

Correct.

nathanaw

thank you very much.

is there a possibility an attacker can reverse engineer the client ID/secret from the access token? How is the access token derived?