ignacio
Questionable nonce generation
The generate_nonce function uses a very questionable method for random number generation.
The schema is hmac(math.random() + "random" + os.time(), "keyyy").
I am not familiar with the security requirements for an oauth nonce, but all parts of this are trivially guessable or constant. If the goal is simply to have a unique number, just using e.g. socket.gettime() and/or a counter should be enough, so the complexity of the nonce generation makes me think this might be a poor attempt at generating a secret nonce.
some research has shown that the nonce can be public, the requirement is only for the nonce to be unique per second. As such, a simple counter should be enough and actually reduce the chance of a collision.