Secret in express-open-id

  • Which SDK this is regarding: express-openid-connect

I’m wondering where I can find out more information about the ‘secret’ used by this SDK. In the docs, the examples have a secret, which it suggests is a long random string.

const config = {
  authRequired: false,
  auth0Logout: true,
  baseURL: 'http://localhost:3000',
  clientID: 'YOUR_CLIENT_ID',
  issuerBaseURL: 'https://YOUR_DOMAIN',

In my tests, I can put whatever I want in there and it doesn’t seem to change behavior. So why doesn’t the software just generate a random string? Do I really need to put this in an environment variable so it persists?

the docs say:

REQUIRED. The secret(s) used to derive an encryption key for the user identity in a session cookie and to sign the transient cookies used by the login callback. Use a single string key or array of keys for an encrypted session cookie. Can use env key SECRET instead.

What I’m wondering is could I just generate a random string in the code and use that ?
like, with:

(Math.random()).toString(24) +  (Math.random()).toString(24)

Hi @nsheff,

Welcome to the Auth0 Community!

This SO thread goes in-depth about this question. Check it out!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.