The following refer to the generateAccessToken() function in library/OAuth2/ResponseType/AccessToken.php, and the generateAuthorizationCode() function in library/OAuth2/ResponseType/AuthorizationCode.php.

• These functions attempt to generate secure auth tokens, but do not use the WordPress random number generator. Instead they use a series of fallback calculations depending on which PHP version is being used. Some of these calculations are not crypographically secure:
• The first is mcrypt_create_iv(100, MCRYPT_DEV_URANDOM). MCRYPT_DEV_URANDOM is expected to change to a different random value whenever it is called, but on Windows, on older versions of php it is known to be a constant value
• if no other functions (e.g. /dev/urandom) are available then the access token is generated solely using mt_rand(), microtime(), and uniqid().
• mt_rand() (Mersenne twister) is not a cryptographically secure pseudorandom number generator.
• According to the documentation mt_rand() is also biassed towards even return values in some circumstances.
• According to the documentation uniqid() is as secure a PRNG as microtime().

Current state: Reported