Generating consumer key/secrets for HMAC-SHA1

I am looking for a programmatic way to generate consumer key/secrets for HMAC-SHA1 to be used by clients invoking our AP开发者_StackOverflow社区I over OAuth. Any pointers to existing implementations would be highly helpful.

Secrets are best when generated from random data. That way there is no external data which could help an attacker deduce or guess part or the entire key. Of course, it depends on how much protection your secret key needs. Java includes some random number generators in java.util.Random (since JDK1.0). If you don't have backward compatibility issues, Java 6 has java.security.SecureRandom which meets FIPS 140-2 requirements. The Java libraries are not truly random, but it is probably good enough for most applications. If you need better random data, you should go for a hardware-based random generator.