Authenticating applications with client secrets is necessary to access Cloudentity resources. Using client secrets also reduces the risk of malicious applications getting access tokens. This is because the authorization server only needs to know the hash of the client secret. If a malicious application is able to get access to the hash of a client secret, it will be able to decompile the application source code, which could potentially compromise the security of the application and its resources.
The most common apps that use client secrets are Single Page Applications (SPAs) and Web server apps. These apps are written in server-side languages. They run in a web browser. The source code for these apps is not accessible to the public. Therefore, the secret must be kept confidential.
These apps are not required to use client secrets, but if they do, it is essential to keep the secret confidential. There are a few methods for storing the secret so that it is not easily accessible. It is best to store the secret in encrypted form. This will prevent anyone from copying the value of the secret. In addition, the application registration should only store the encrypted version of the secret.
During the registration process, the user will be asked to enter a secret. This will allow the user to authorize the application. Some services allow the user to revoke a previously authorized application. The user can revoke the application by going to the Revocation Page. This is a common security feature used by Amazon and other websites.
After an application is registered, the secret is stored in Cloudentity. Cloudentity provides several methods to manage client secrets. This includes creating a special registration access token that allows the application to read and update its registration. It also provides an access token and admin access token. The special access token can be used in the Refresh Flow to refresh the client secret.
If the client secret is compromised, it is important to rotate the secret to a new one. This will ensure that no one will be able to use the old secret anymore. During this process, the user is asked to confirm their password. If the user doesn’t confirm, the secret will be revoked.
Once a secret is rotated, the application will have to be re-registered with Cloudentity. This can be done in the Admin API. The developer will then need a new client secret. This new secret will be returned as a response in a terminal. This is common in GitHub websites.
If a developer wants to store the secret on a web page, they must place a re-authorization prompt before allowing the developer to view the secret. This is often used to ensure that the user doesn’t accidentally leak the secret. It is also recommended to place the re-authorization prompt before the developer has access to the application. If an attacker can get access to the secret, they could potentially decompile the application source code and steal all the data.