Secret key on server vs. settings.json on client


#1

Hi there,

I want to implement my own authentication system using oauth. It is intended to cross-authenticate my current users with an external tool.

In this tutorial, it is suggested, to store the secret in the settings.json file.

However, I had the idea to store the secrets on the server and create the signature using the secret and the login credentials on the server. Finally returning the signature back to the client, which then uses the credentials for authentication.

Some opinions on that? Why is it favored to store the secrets in a client .json file?


#2

The secret is not (should not be) available to the client. In a typical settings.json file only those values under the top-level public key are made available to the client.

"credentials" : {
  "secret: "dfahf8ru8f2cufhuwhdfo2uoio",
  "appid": "38398q390r3q"
},
"public" : {
  "something" : "available on the client",
  "somethingElse" : "available on the client"
}

The credentials will not be sent to the client.


#3

The secret is not (should not be) available to the client

Thank you, I was already wondering… :slight_smile:

But is using the settings.JSON still the way to go, even, if I have to manage many different secrets across user groups with access to different third-party systems?


#4

settings.json is just a convenient way to store a small data set with an api for easy access. As long you store your credentials in a way that only the server has access you can do this any way you like.


#5

Alright! Thank you for your help!


#6

and remember to add your settings.json to your .gitignore file. You don’t want your secrets in your git repo.

Use something like settings_template.json with empty values to check in. That way it’s easy to reconstruct your settings.json if necessary.