diff --git a/oauth2client/contrib/xsrfutil.py b/oauth2client/contrib/xsrfutil.py
index 7c3ec03..20f35c9 100644
--- a/oauth2client/contrib/xsrfutil.py
+++ b/oauth2client/contrib/xsrfutil.py
@@ -44,7 +44,7 @@ def generate_token(key, user_id, action_id='', when=None):
     Returns:
         A string XSRF protection token.
     """
-    digester = hmac.new(_helpers._to_bytes(key, encoding='utf-8'))
+    digester = hmac.new(_helpers._to_bytes(key, encoding='utf-8'), digestmod='MD5')
     digester.update(_helpers._to_bytes(str(user_id), encoding='utf-8'))
     digester.update(DELIMITER)
     digester.update(_helpers._to_bytes(action_id, encoding='utf-8'))
diff --git a/tests/contrib/test_xsrfutil.py b/tests/contrib/test_xsrfutil.py
index 3115827..deae568 100644
--- a/tests/contrib/test_xsrfutil.py
+++ b/tests/contrib/test_xsrfutil.py
@@ -54,7 +54,7 @@ class Test_generate_token(unittest.TestCase):
                                             TEST_USER_ID_1,
                                             action_id=TEST_ACTION_ID_1,
                                             when=TEST_TIME)
-            hmac.new.assert_called_once_with(TEST_KEY)
+            hmac.new.assert_called_once_with(TEST_KEY, digestmod='MD5')
             digester.digest.assert_called_once_with()
 
             expected_digest_calls = [
@@ -87,7 +87,7 @@ class Test_generate_token(unittest.TestCase):
                                                 TEST_USER_ID_1,
                                                 action_id=TEST_ACTION_ID_1)
 
-                hmac.new.assert_called_once_with(TEST_KEY)
+                hmac.new.assert_called_once_with(TEST_KEY, digestmod='MD5')
                 time.time.assert_called_once_with()
                 digester.digest.assert_called_once_with()