4

I'm currently trying to build an single sign-on Server for a couple of clients to use. Because I don't exactly know, how many clients that will be, I planned to make it so I can add clients at runtime using the EntityFramework Configuration Store.

My problem is now how to set the client secrets. I tried generating a new GUID and using that as a secret. The problem now is, that the Configuration Store just wants to save the hashed version of the secret and I would need to access the plain secret to add it to the actual client application.

I assume that this is on purpose and that it is discouraged to save the plain version of the secret? What would be the go-to solution for saving secrets?

Luke Girvin
  • 13,221
  • 9
  • 64
  • 84
fbrthld
  • 76
  • 1
  • 8
  • You shouldn't save the secret in plaintext. Why do you want to access the plain text secret? – moritzg May 17 '17 at 05:56
  • I want to generate them automatically and then I need to read them somewhere so I can actually add them to my applications. It would be the same workflow as with eg Facebook oauth2. You go to the developer page, create an application (here client) and then can read the secret and add it to your application. For that I need to store them in plain somewhere? – fbrthld May 17 '17 at 06:03
  • Are these your own applications? – moritzg May 17 '17 at 06:15
  • 1
    Mostly they are, but not necessarily. I think I will just give the secrets to the user once when they are generated and not store them. This should be a save way to access them – fbrthld May 17 '17 at 08:02
  • This is actually a good idea. Also you can always generate a new secret if your client loses theirs. – moritzg May 17 '17 at 08:15
  • Hi. If you are using Identity Server4, are you using also Admin UI. If yes then you can use like this https://www.identityserver.com/documentation/admin-ui/clients/adding-a-web-client/ – Janne Harju Jan 21 '19 at 12:48

2 Answers2

17

Use following algorithm to generate sha256 hash. This is the same algorithm used in IdentityServer4.Models.HashExtensions class.

using System.Security.Cryptography;

static class Extentions
{

    public static string Sha256(this string input)
    {

        using (SHA256 shA256 = SHA256.Create())
        {
            byte[] bytes = Encoding.UTF8.GetBytes(input);
            return Convert.ToBase64String(((HashAlgorithm)shA256).ComputeHash(bytes));
        }
    }
}


void Main()
{
    Console.WriteLine( "secret-as-guid".Sha256());
}
rawel
  • 2,923
  • 21
  • 33
  • Thanks for the answer, but that's not the problem I am having. I can create the hash and save the hashed secret. The thing I want to do is actually save the secret in plain text so I can read it later on. I'm wondering if this is something you shouldn't to, because it is not possible in Identityserver 4 without custom db tables etc – fbrthld May 17 '17 at 05:46
  • 3
    You better generate secret and give it to the owner right away without storing it in plain text. Saving the secret in plain text is a no-no. Anyway if you really need to access it later, use your own table with client id to secret mapping. You should try your best to encrypt the secret before storing and decrypt it on retrieval rather than storing secret in plaintext. – rawel May 17 '17 at 06:17
  • Mhm. That might be a solution. I think I will give it to the user once on secret generation and not save it permanently. Thanks for you input! – fbrthld May 17 '17 at 08:01
  • You are welcome. Also, I should warn you about using GUIDs as secrets. http://stackoverflow.com/questions/4517497/how-secure-are-guids-in-terms-of-predictability – rawel May 17 '17 at 08:24
  • This algorithm worked with the secrets in the IdentityServer4 Mongo example. – T.Coutlakis Jan 29 '19 at 11:46
0

You should not store the client secret in plain text.

Always assume that your configuration database gets compromised - and then those secrets can be used to impersonate your clients.

This might be slightly inconvenient for you - but it is a best practice (and also in-line with how other token services deal with that).

If you have other means of protecting the secret at rest - you can add the the plain text based secret validator to DI

https://github.com/IdentityServer/IdentityServer4/blob/dev/src/IdentityServer4/Validation/PlainTextSharedSecretValidator.cs

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Is there an online tool that can create sha of secret? I want to use it to configure it when I add new clients. Otherwise I will have to create a console app? – Kishan Vaishnav Apr 30 '21 at 11:07