- Which SDK this is regarding: express-openid-connect
I’m wondering where I can find out more information about the ‘secret’ used by this SDK. In the docs, the examples have a secret, which it suggests is a long random string.
const config = {
authRequired: false,
auth0Logout: true,
baseURL: 'http://localhost:3000',
clientID: 'YOUR_CLIENT_ID',
issuerBaseURL: 'https://YOUR_DOMAIN',
secret: 'LONG_RANDOM_STRING'
};
In my tests, I can put whatever I want in there and it doesn’t seem to change behavior. So why doesn’t the software just generate a random string? Do I really need to put this in an environment variable so it persists?
the docs say:
REQUIRED. The secret(s) used to derive an encryption key for the user identity in a session cookie and to sign the transient cookies used by the login callback. Use a single string key or array of keys for an encrypted session cookie. Can use env key SECRET instead.
https://auth0.github.io/express-openid-connect/interfaces/configparams.html#secret
What I’m wondering is could I just generate a random string in the code and use that ?
like, with:
(Math.random()).toString(24) + (Math.random()).toString(24)