Reputation: 11
OAuth 2 provider: storing client credentials
What are the best practices for storing client creds when implementing an OAuth2 provider?
I can store access_token/refresh_token/auth_code as a salted hash (just like passwords) if I decide that every time client requests a new one I issue a new one. But in the case of the client_secret I need to be able to show it along the client_id on the app registration page, so I can't keep only the hash.
Thanks! Lev
Upvotes: 1
Views: 987
Answers (1)
Reputation: 900
Using a machine generated client secret is only one of many means to authenticate a client application. I assume this is what you want to use in your service. In this case you already answered your question, you have to store the secret in plain text as long as you want to be able to communicate it to application developers at any time.
If this is not acceptable for you, consider choosing a different solution, such as letting the developer set the secret like you would do with a password, and never store the plaintext; or use a private/public key pair authentication scheme like MAC.
Upvotes: 1
Related Questions
- Node-oidc-provider How to store clients in database
- How to store OAuth client id on native apps
- Storing client secret on client side
- Storing access token obtained through client credentials oauth2 flow
- OAuth-server, storing user tokens
- OAuth client credentials concept
- Handling the OAuth2 Client Credentials flow
- OAuth 1.0a, 2-legged: how do you securely store clients' credentials (keys/secrets)?
- Storing OAuth2 client_id and client_secret securely in a client side app
- How to store consumer secret for two-legged OAuth provider?