Where To Store The Client Secret?

Question

I am just starting out with identity server and am going through the quickstarts now (apologies for the noob question in advance!).

My query comes from the fact that in all the quickstarts on the documentation site, the client secret appears in clear text in the code, even the sample where both EF and asp.net identity are being used to store config and user creds.

My immediate reaction is that storing a secret in code is a no-no, but I can see mitigating circumstances depending on what client type we are talking about e.g. if the client is a hosted mvc webapp then the code is theoretically well protected on the hosting server, but if it is a desktop client then it is more vulnerable to for example decompilation.

I have looked through all the quickstarts and also done some googling, but I cannot find any definitive answers of the kind that are similar to asp.net identity users creds (i.e. store hashed in a db). I have also searched through the identity server docs to find any guidance on this and have not found any (even the secrets sub-topic has the secret in code).

So am i worrying over nothing and should just stick the secret in the config file in clear-text code or is there a better in-built mechanism (like asp.net identity's hashing and storing in a db or similar)?

Thanks :)

PS this question applies to the secret storage in the identity server code as well as in the client

Answer 1

Unless you are just starting up on Identity you should store all of your Client Secrets in your database. Most startups use the Config.cs file to store all of these because its just local testing. But once you have IS4 working you should move it to your database and store a hashed version of the password to insure that if your database was exposed they would still be secure. As for you identity server code, I store the secret in the appSettings which you can keep private depending on your deployment.