Hashing OAuth2 Access Tokens¶
WSO2 API Manager allows enabling OAuth2 token hashing to protect OAuth2 keys (OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes) in the event of database security breach. Once the token hashing is enabled, all the OAuth2 keys will be hashed and stored in the database.
Follow the instructions below to set up OAuth token hashing.
Stop the API Manager server if it is already running.
<API-M_HOME>/repository/conf/deployment.tomlfile, uncomment the following configuration and set the
enable_token_hashingvalue to be
[apim.oauth_config] enable_token_hashing = true
Run the following command based on the database engine
CONN_APP_KEYconstraint from the
IDN_OAUTH2_ACCESS_TOKENtable. For example, if you are using an H2 database, you need to run the following command:
ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN DROP CONSTRAINT IF EXISTS CON_APP_KEY
By default, there can only be one active access token for any consumer key, user, and scope combination. The
CON_APP_KEYconstraint in the
IDN_OAUTH2_ACCESS_TOKENtable enforces this.
However, when token hashing is enabled, a new access token is issued for every access token request resulting in multiple active access tokens or any consumer key, user, and scope combination. To allow multiple active access tokens to exist, you need to remove the
Follow the Generate Application Keys guide to create a new application, generate application consumer keys, and to obtain an access token.