Open lovetodream opened 2 years ago
I am currently considering showing the client secret only after the client is created once and hash it afterwards. So the admin is responsible for storing it somewhere secure
The solution I came up with is creating the client without a secret and asking the user afterwards if he wants to create a secret now. This will also inform him that he will not be able to see the secret again and therefor needs to store it somewhere safe. Of course he will be able to regenerate the secret whenever he wants to
A
client_secret
should not be stored as plain text in the database, an option might be to use something like Vault. Or come up with a solution that fits the purpose of storing the secret, without making it completely inaccessible for the user after its creation.