search

auth0 / auth0-java

Java client library for the Auth0 platform
https://auth0.com
MIT License
286 stars 131 forks source link

use char[] instead of String for sensitive data #529

Closed victorhua closed 1 year ago

victorhua commented 1 year ago

Describe the problem you'd like to have solved

We are trying to use char[] instead of String for handling sensitive data in code, such as clientSecret. It seems the client sdk is using String. https://github.com/auth0/auth0-java/blob/master/src/main/java/com/auth0/client/auth/AuthAPI.java#L102 Is there any plan to move to char[] instead?

Describe the ideal solution

Alternatives and current work-arounds

Additional information, if any

victorhua commented 1 year ago

Maybe use CharSequence instead, so it is backwards compatible.

jimmyjames commented 1 year ago

Hi @victorhua, thanks for the info. This is a tricky one; I understand the request, but as a REST library ultimately values end up transmitted over the wire through an HTTP library, in this case, OkHttp. In certain cases we can serialize data ourselves and use char arrays, but not always. In the case of the client secret, for example, it may be sent as a x-www-form-urlencoded parameter, which will ultimately end up as being a String. There was a similar request to OkHttp itself, but ultimately it's not something that will be supported. So, even if we did accept the secret as a char array, at some point during the HTTP transfer it can end up as a String, thus not providing any real value.

victorhua commented 1 year ago

Yes, that is what I feel as well, closing.