The OAuth 2.0 specification says nothing about how to create a token and secret token. Thus, it is up to you whether you use any existing / anchor data to create tokens or if you want to use a random sequence to generate tokens. The only difference is that if you use supposedly known data (for example, user data such as username, creation date plus, etc.), you can restore tokens at any time. If you use a random sequence of data, you will not be able to recover tokens after they are lost.
In other words, the RFC does not limit you to the generation process.
I would probably use a concatenation of user data plus some random data and then Base64 encoding.
String keySource = username + creationDate + random; byte [] tokenByte = new Base64(true).encodeBase64(keySource.getBytes()); String token = new String(tokenByte);