Reputation: 1423
Proper place for oAuth2 clientId & clientSecret
I'm working on my web application which supports the oAuth2 authentication with third-part services. So i have my clientId and clientSecret keys, which i use to authorize my application.
I'm using Spring security oAuth dependency and configure all that in props. And so here's the problem: as i understand, keeping these information in classpath props in unsafe. From the other side, i'm looking for a solution which allows to get my application up and running from the box without any third-part props/configs (so i don't like the idea to put these props on environment side)
I'm wondering if there are any best practices of keeping clientId and clientSecret keys?
Upvotes: 1
Views: 941
Answers (1)
Reputation: 495
At Salesforce we stored sensitive information in properties in encrypted way. For example:
sensitive.property=ENC(2sfs25D!==)
When an app starts it reads those properties, identifies which ones are encrypted and decrypts them. It is possible to add custom logic to spring default @value readings for example.
Depending on your company security guidelines use appropriate encryption algorithm. For example Scrypt: https://mvnrepository.com/artifact/com.lambdaworks/scrypt
int SCRYPT_N_PARAM = 65536;
int SCRYPT_R_PARAM = 8;
SCryptUtil.scrypt(str, SCRYPT_N_PARAM, SCRYPT_R_PARAM, 1);
Upvotes: 1
Related Questions
- How do I avoid checking for nulls in Java?
- Proper use cases for Android UserManager.isUserAGoat()?
- Place cursor at the end of text in EditText
- In detail, how does the 'for each' loop work in Java?
- Why is char[] preferred over String for passwords?
- How Spring Security Filter Chain works
- Why does CF UAA check_token endpoint need a clientId/clientSecret?