Open lovetodream opened 2 years ago
lovetodream
commented
2 years ago I am currently considering showing the client secret only after the client is created once and hash it afterwards. So the admin is responsible for storing it somewhere secure
lovetodream
commented
2 years ago The solution I came up with is creating the client without a secret and asking the user afterwards if he wants to create a secret now. This will also inform him that he will not be able to see the secret again and therefor needs to store it somewhere safe. Of course he will be able to regenerate the secret whenever he wants to
A
client_secretshould not be stored as plain text in the database, an option might be to use something like Vault. Or come up with a solution that fits the purpose of storing the secret, without making it completely inaccessible for the user after its creation.