How difficult it is to brute force the token has to do with the underlying
entropy. For opaque access tokens the specs recommend 128bits of entropy.
How you encode that is not relevant to the security.
> On Apr 7, 2015, at 6:19 AM, Sergey Beryozkin wrote:
>
> Hi John
>
> Thanks for the c
Hi John
Thanks for the comments, what I'm curious about is not how to get a
generated (bearer) access token encoded with the encoded value having a
fewer number of characters but how to better support a security
requirement that it should be difficult for an attacker to reproduce a
given acce
Best would depend on what you are encoding. If the thing you are encoding is
mostly URL safe then using URL escaping might give you the smallest result.
If it is 8bit data then BASE64URL will give you a smaller result than HEX
encoding.
JWT use BASE64URL as a datapoint.
John B.
> On Apr 7, 20
Hi
Would it be correct to assume that the best method for encoding the
auto-generated bearer tokens is Base64URL ? I've spotted recently some
of our code uses the Hex encoding which I believe is inferior compared
to Base64URL given that the latter has a richer set of characters.
Is it a corr
