Closed HiroProt closed 13 years ago
Client secrets are effectively passwords, and the OAuth spec states that they should be treated with the same care as user passwords. This means they should be stored using an irreversible hash, should not be transmitted without encryption.
If the developer loses their secret I think the provider should generate a new one for them rather than displaying the existing one.
Any particular reason why you encrypt client secrets? Pretty much all the OAuth sites I've see allow the developer to see their secret later on, e.g. to configure a new client implementation