Best deployment practice for securing ClientID and Secret

Hi,

We are just finalising our deployment in to our production environment and wanted to know if there was any best practice advice on securing our clientID and secret?

Are there any other mitigations/controls should these ever be compromised?

The client identifier used in OIDC/OAuth 2.0 is not considered confidential information so technically there’s not specific recommendations for the identifier. However, the secret is indeed confidential and as such should be treated as any other sensitive information that the application requires to function.

In particular, you should not include the secret directly in source code and instead you’ll likely want to make it available only through other means like environment configuration.

In terms of handling a compromised secret the general handling would be to invalidate that secret as quickly as possible which for an application registered in an Auth0 tenant can be achieved by rotating the client secret through the Management API (Auth0 Management API v2).

1 Like

Thanks @jmangelo, appreciate your response.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.