diff -r 4746609a6656 -r d5dc8edb2695 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:31:02 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Sat Mar 11 22:46:27 2023 +0100
@@ -6,7 +6,7 @@
 local usermanager = require "core.usermanager";
 local errors = require "util.error";
 local url = require "socket.url";
-local uuid = require "util.uuid";
+local id = require "util.id";
 local encodings = require "util.encodings";
 local base64 = encodings.base64;
 local random = require "util.random";
@@ -185,7 +185,7 @@
 	local request_username, request_host = jid.split(granted_jid);
 	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
 
-	local code = uuid.generate();
+	local code = id.medium();
 	local ok = codes:set(params.client_id .. "#" .. code, {
 		expires = os.time() + 600;
 		granted_jid = granted_jid;
@@ -624,8 +624,9 @@
 		end
 	end
 
-	-- Ensure each signed client_id JWT is unique
-	client_metadata.nonce = uuid.generate();
+	-- Ensure each signed client_id JWT is unique, short ID and issued at
+	-- timestamp should be sufficient to rule out brute force attacks
+	client_metadata.nonce = id.short();
 
 	-- Do we want to keep everything?
 	local client_id = jwt_sign(client_metadata);