Generate CC Hash and Nonce for OAuth2.0 Client Credentials Grant Flow

Learn about how to generate CC (Client Credentials) hash and Nonce with and without the Java library, needed for generating access tokens using the client credentials grant flow.

Note: The OAuth2.0 Client Credentials grant flow is disabled by default. Contact Support to enable this authentication flow.

To generate access tokens for the client credentials, you need a cc hash and a nonce.
Note: The access token for client credentials flow is 24 hours.

For generating the cc hash, you need Client Id, Client Secret, and Shared Secret Key parameters.
All three can be obtained after creating a client application with enabled OAuth2.0 Client-Credentials Authorization. Please contact the community administrator for these details. Along with this, you need two more parameters: epochTimeInMinutes and nonce.

The epochTimeInMinutes is the current system time in minutes. The nonce (number used once) is typically a randomly generated value that is associated with a message and must be unique within some specified scope. nonce is typically used to prevent replay attacks (aka playback attacks).

You can generate the cc hash and nonce in one of two ways:

• Using the Client Credentials Java Library
• Without Using the Java Library

Using the Client Credentials Java Library

1. Download the cc-client-1.0.0.jar file from the About OAuth 2.0 Client Credentials Grant Flow.
2. Add the .jar file to your project.
3. Create a new KhorosOAuth2ClientCredentialsClient object.

KhorosOAuth2ClientCredentialsClient ccClient = new KhorosOAuth2ClientCredentialsClient();

1. After creating the object, call the function getClientCredentialHash() to generate the corresponding hash and nonce. The generated hash and nonce are provided as the CCHashNoncePair function.
   Note: This function processes the 'Client Id', 'Client Secret', and 'Shared Secret Key' parameters, which are obtained from the User Interface of the client application.
2. To generate the hash and nonce pair, use one of the following methods:
   Note: By default, the SHA512 algorithm is applied for hash generation.

• Specify the algorithm and nonce; the function generates the cc-hash.

ccClient.getClientCredentialsHash(clientId, clientSecret, sharedSecretKey, nonce, <algorithm>)

This function processes the 'Client Id', 'Client Secret', 'Shared Secret Key', 'Nonce', and 'Algorithm'. The supported algorithm values are SHA256, SHA512, SCRYPT, RIPEMD160.

• Without specifying the algorithm and nonce, the function generates the cc-hash.
  The function is defined as:

ccClient.getClientCredentialsHash(clientId, clientSecret, sharedSecretKey)

Here, only the 'Client Id', 'Client Secret', and 'Shared Secret Key' are specified, whereas the 'Nonce' and 'Algorithm' are generated randomly.

Without Using the Java Library

To generate the cc-hash without the Java library or .jar file, you need to prepare the data string, encrypt it with a specific algorithm, and hexadecimal encode it.

Data string containing all the parameters such as 'Client Id', 'Client Secret', 'Nonce', and 'epochTimeMinute' are concatenated by adding a delimiter ":", which forms the string to be hashed. The 'Nonce' can be generated randomly or as desired by the customer.

String strToHash = clientId + ":" + clientSecret + ":" + nonce + ":" + epochTimeMinute;

Now, for generating the hash, we need a salt along with the string to safeguard passwords for storage. The salt is the Shared secret key. Based on the algorithm that is desired by the customer, the string must be hashed and salt is passed to the hashing function.

Based on the four types of algorithms, the Java code to generate hash data is as follows:

Note: You can write the same codes in any other language.

• SHA256 algorithm

public String generateHash(String strToHash, String salt) {
    try {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(strToHash.getBytes(StandardCharsets.UTF_8));
        md.update(salt.getBytes(StandardCharsets.UTF_8));
        byte[] messageDigest = md.digest();
        return Hex.encodeHexString(messageDigest);
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
}

• SHA512 algorithm

public String generateHash(String strToHash, String salt) {
    try {
        MessageDigest md = MessageDigest.getInstance("SHA-512");
        md.update(strToHash.getBytes(StandardCharsets.UTF_8));
        md.update(salt.getBytes(StandardCharsets.UTF_8));
        byte[] messageDigest = md.digest();
        return Hex.encodeHexString(messageDigest);
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
}

• SCRYPT hashing algorithm

public String generateHash(String strToHash, String salt) {
    byte[] generatedSecuredPasswordHash = SCrypt.generate(strToHash.getBytes(StandardCharsets.UTF_8), salt.getBytes(
            StandardCharsets.UTF_8), 16, 16, 16, 16);
    return Hex.encodeHexString(generatedSecuredPasswordHash);
}

• RIPEMD160 hashing algorithm

public String generateHash(String strToHash, String salt) {
    byte[] r = strToHash.getBytes(StandardCharsets.UTF_8);
    byte[] k = salt.getBytes(StandardCharsets.UTF_8);
    GeneralDigest digest = new RIPEMD160Digest();
    digest.update(r, 0, r.length);
    digest.update(k, 0, k.length);
    byte[] output = new byte[digest.getDigestSize()];
    digest.doFinal(output, 0);
    return Hex.encodeHexString(output);
}