Skip to content

Use secrets.choice() instead of random.sample() for PKCE, nonce, and state generation#889

Draft
Copilot wants to merge 2 commits intodevfrom
copilot/improve-random-generator
Draft

Use secrets.choice() instead of random.sample() for PKCE, nonce, and state generation#889
Copilot wants to merge 2 commits intodevfrom
copilot/improve-random-generator

Conversation

Copy link

Copilot AI commented Mar 19, 2026
edited
Loading

random.sample() uses a deterministic PRNG unsuitable for security-sensitive values. PKCE code verifiers, OAuth state parameters, and OIDC nonces require cryptographically strong randomness.

Changes

  • msal/oauth2cli/oauth2.py: Replace import random with import secrets; update PKCE code verifier and OAuth state generation
  • msal/oauth2cli/oidc.py: Replace import random with import secrets; update nonce generation
# Before
verifier = "".join(random.sample(string.ascii_letters + string.digits + "-._~", length))
"state": state or "".join(random.sample(string.ascii_letters, 16))
nonce = "".join(random.sample(string.ascii_letters, 16))

# After
verifier = "".join(secrets.choice(string.ascii_letters + string.digits + "-._~") for _ in range(length))
"state": state or "".join(secrets.choice(string.ascii_letters) for _ in range(16))
nonce = "".join(secrets.choice(string.ascii_letters) for _ in range(16))

Note: random.sample() also samples without replacement, artificially constraining the output space. secrets.choice() allows repeated characters, increasing entropy for the same output length.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • login.microsoftonline.com
    • Triggering command: /usr/bin/python python -m pytest tests/ -x -q --ignore=tests/test_e2e.py --ignore=tests/test_benchmark.py --ignore=tests/test_e2e_manual.py (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[Feature] Improve Random generator</issue_title>
<issue_description>Improve the random generator - random.sample() function to secrets.choice() to provide more randomness

</issue_description>

<agent_instructions>Look at PKCE, nonce and state generation.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@bgavrilMS
Replace random.sample() with secrets.choice() for PKCE, nonce, and st…
bd8754b 
…ate generation

Co-authored-by: bgavrilMS <12273384+bgavrilMS@users.noreply.github.com>
Copilot AI changed the title [WIP] Improve random generator using secrets.choice Use secrets.choice() instead of random.sample() for PKCE, nonce, and state generation Mar 19, 2026
Copilot AI requested a review from bgavrilMS March 19, 2026 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

At least 1 approving review is required to merge this pull request.

Assignees

@bgavrilMS bgavrilMS

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Improve Random generator

2 participants

@bgavrilMS