Why is client_secret visible?

My question is the same as Client_Secret is stored in clear text, but I couldn’t reply there because it’s locked.

I read the linked document in the answer by dan.woda, but couldn’t find anything that would explain - or I wasn’t able to grasp - why client secrets must be stored clear text.

Why is it not possible to manage Apps exactly like it is right now, but without the option to view an App’s client_secret (it’s not just viewing that I’m concerned with, but that these are stored encrypted and following best practices in Auth0)? Auth0 could show the secret exactly once when it’s rotated, but never again. All other actions in Auth0’s admin pages would still be possible without knowing client secrets like they are right now.

Thanks in advance!

Hi @MarceloZ,

Client secrets are encrypted and stored in a secure DB. If you are interested in more details about our compliance with industry best practices you can request a copy of our SOC 2 certification from trust@auth0.com.

I can’t speak to the exact design decision, but I can say this is the same way client secrets are treated by Google, Slack, etc.

1 Like

Thanks for your quick reply, dan.woda.

Glad to hear they’re stored encrypted. I think it would be nice to have an article explaining this or even a hint in the docs (maybe it’s already there and I just didn’t find it?) affirming this.

Cryptography is a tricky subject and I would guess a lot of people will be genuinely confused when they can see a password in clear text, much like I was.

But is it possible to share some more detail in this thread? I think it would benefit future readers too. I’ve seen some more involved key management schemes that allow for very non-intuitive “It doesn’t look like it, but it’s secure” behaviour such as Lastpass’s “Reset user’s master password” feature, and it was a relief to see an article stating it’s safe even if I can’t fully grasp the details.

I can pass that request on to the team who runs our blogs!

Like I mentioned, I can’t speak to the exact design decision here, but I’m happy to provide my own insight into why a user password isn’t the same as a client secret.

The most common reason I hear for not storing user’s passwords in plaintext is that leaking can result in a Crededential Stuffing attack on other websites. This isn’t something that applies to a client secret, as it is unique to a specific auth server, and wouldn’t be used again with a different auth server.