Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why isn't client secret encrypted in OAuth?

I've been researching on OAuth server implementation recently. One thing I noticed is that all the server implementations do not encrypt client secret on the server side. I do understand that it's not supposed to be a password, but it's being used as a password. If that the case, why don't we encrypt it?

Only thing I can think is that it can't be encrypted since the OAuth server should display client secret to the client on UI.

P.S: Does it belong to stackoverflow or serverfault..?

like image 438
Moon Avatar asked May 06 '15 20:05

Moon


People also ask

Should client secret be encrypted?

Encrypting, or alternatively, hashing the client secrets, is an excellent security measure to minimise the risk of an undetected credential leak from the database. Recommended methods: Encryption: AES with 128 bit or longer key. Hashing: Argon2, Bcrypt, Scrypt.

Should OAuth client id be secret?

The Client ID is a public identifier of your application. The Client Secret is confidential and should only be used to authenticate your application and make requests to LinkedIn's APIs.

Is client secret mandatory in OAuth2?

Client secret is not needed because the access token is used by the resource server. However, the client secret is used by the authorization server to authenticate the client. If the client has the access token, that means it is already authenticated. Please refer section 7.


1 Answers

That's an implementation decision but as long as the Authorization Server doesn't use an HSM for the encryption key, it doesn't make a whole lot of sense to encrypt the secrets with another secret that resides on the same filesystem.

Displaying it in the GUI is definitely not the reason for not encrypting it (since the server could decrypt it before showing it) and it is not even necessary to display it in the UI (could be provided as input by the app developer).

But perhaps you're referring to one-way hashing? In that case I would agree that Authorization Servers should treat those client secrets as passwords and hash them, or at least provide the option to do so.

But it deserves to be mentioned though that client secrets can be considered to be less harmful when lost because they are unique for the client/AS relationship. The bad side of user passwords being exposed is that they typically can be used against other service providers (using the same username/e-mail address). That does not hold for client secrets, and one may argue that in a lot of cases (where RS and AS are "close") being able to access the backend where the client secrets reside obsoletes the need for learning the client secret itself.

like image 72
Hans Z. Avatar answered Jan 01 '23 12:01

Hans Z.