Why isn't client secret encrypted in OAuth?

Question

I've been researching on OAuth server implementation recently. One thing I noticed is that all the server implementations do not encrypt client secret on the server side. I do understand that it's not supposed to be a password, but it's being used as a password. If that the case, why don't we encrypt it?

Only thing I can think is that it can't be encrypted since the OAuth server should display client secret to the client on UI.

P.S: Does it belong to stackoverflow or serverfault..?

Answer 1

That's an implementation decision but as long as the Authorization Server doesn't use an HSM for the encryption key, it doesn't make a whole lot of sense to encrypt the secrets with another secret that resides on the same filesystem.

Displaying it in the GUI is definitely not the reason for not encrypting it (since the server could decrypt it before showing it) and it is not even necessary to display it in the UI (could be provided as input by the app developer).

But perhaps you're referring to one-way hashing? In that case I would agree that Authorization Servers should treat those client secrets as passwords and hash them, or at least provide the option to do so.

But it deserves to be mentioned though that client secrets can be considered to be less harmful when lost because they are unique for the client/AS relationship. The bad side of user passwords being exposed is that they typically can be used against other service providers (using the same username/e-mail address). That does not hold for client secrets, and one may argue that in a lot of cases (where RS and AS are "close") being able to access the backend where the client secrets reside obsoletes the need for learning the client secret itself.