Overview#Client Secret (OAuth 2.0 client_secret) is a secret used by the OAuth Client to Authenticate to the Authorization Server.
Client Secret must be sufficiently random to not be guessable.
Developers never include their Client Secret in OAuth Public Clients (mobile or browser-based) App. Some folks suggest by using a longer string for the Client Secret is a good way to indicate this, or prefixing the Client Secret with “secret” or “private”.
A method to generate a secure Client Secret is to use a cryptographically secure pseudorandom number generator library to generate a 256-bit value and converting it to a hexadecimal representation.
A good sample Client Secret which is 86 characters:
Regarding entropy for symmetric Key Cryptography signature and encryption algorithms, 16.19 Symmetric Key Entropy in OpenID Connect Core 1.0 states as follows. In Section 10.1 and Section 10.2, keys are derived from the client_secret value. Thus, when used with symmetric signing or encryption operations, client_secret values MUST contain sufficient entropy to generate cryptographically strong keys. Also, client_secret values MUST also contain at least the minimum of number of octets required for MAC keys for the particular algorithm used. So for instance, for HS256, the client_secret value MUST contain at least 32 octets (and almost certainly SHOULD contain more, since client_secret values are likely to use a restricted alphabet).
And, 3.1. alg (Algorithm) Header Parameter Values for JSON Web Signature in RFC 7518 (JSON Web Algorithms) states that HS256 (HMAC using SHA-256) must be supported as a signature algorithm for JWS. As a logical consequence, any implementation claiming compliance with OpenID Connect is required to generate client secrets with entropy of 256 bits or more.
More Information#There might be more information for this subject on one of the following:
- Access Token Request
- Authorization Code Flow
- Best Practices OpenID Connect
- Client Authentication Methods
- Creating an OAuth 2.0 Client Application
- Grant Types
- Implicit Grant
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
- OAuth 2.0 Client Registration
- OAuth 2.0 Device Profile
- OAuth 2.0 Use Cases
- OAuth Parameters Registry
- OAuth Public Client
- OpenID Connect
- Proof Key for Code Exchange by OAuth Public Clients
- Resource Owner Password Credentials Grant
- Web Blog_blogentry_140615_1
- Web Blog_blogentry_150617_1
- [#1] - Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings - based on information obtained 2017-05-29-
- [#2] - Client Secret - based on information obtained 2017-07-02