IdentityServer4 storing Client Secrets

Question

I'm currently trying to build an single sign-on Server for a couple of clients to use. Because I don't exactly know, how many clients that will be, I planned to make it so I can add clients at runtime using the EntityFramework Configuration Store.

My problem is now how to set the client secrets. I tried generating a new GUID and using that as a secret. The problem now is, that the Configuration Store just wants to save the hashed version of the secret and I would need to access the plain secret to add it to the actual client application.

I assume that this is on purpose and that it is discouraged to save the plain version of the secret? What would be the go-to solution for saving secrets?

Answer 1

You should not store the client secret in plain text.

Always assume that your configuration database gets compromised - and then those secrets can be used to impersonate your clients.

This might be slightly inconvenient for you - but it is a best practice (and also in-line with how other token services deal with that).

If you have other means of protecting the secret at rest - you can add the the plain text based secret validator to DI

https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Validation/PlainTextSharedSecretValidator.cs

Answer 2

Use following algorithm to generate sha256 hash. This is the same algorithm used in IdentityServer4.Models.HashExtensions class.

using System.Security.Cryptography;

static class Extentions
{

    public static string Sha256(this string input)
    {

        using (SHA256 shA256 = SHA256.Create())
        {
            byte[] bytes = Encoding.UTF8.GetBytes(input);
            return Convert.ToBase64String(((HashAlgorithm)shA256).ComputeHash(bytes));
        }
    }
}


void Main()
{
    Console.WriteLine( "secret-as-guid".Sha256());
}