Closed andrewpbrett closed 11 years ago
jcoglan
commented
12 years ago The spec essentially says they should be treated with the same care as passwords. I'm actually looking at trying to make the protection provided by OAuth2::Provider stronger.
I know a lot of OAuth providers let you get the client secret at any time, but I consider this an antipattern.
andrewpbrett
commented
12 years ago Cool, good to know. Thanks for publishing this, it's been really useful.
andrewpbrett
commented
11 years ago (Apologies if there's a mailing list that's better for questions like this)
If the client_secret is immediately hashed, how does the provider give it to the person who just created the client?
jcoglan
commented
11 years ago When the Client instance is created, the secret is held in memory as an instance variable on the model object, allowing the app to retrieve it and display it in the response. Once that object is garbage-collected, the secret is lost and only the hash remains in the database.
andrewpbrett
commented
11 years ago Got it, thanks again!
I've seen (or I think I've seen) other OAuth provider implementations that don't hash the client secret. Is this something that's within the spec, or is it done here for extra security?