Skip to main content

ClientSecret Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.ClientInformation

ClientSecret Class

Encapsulates the details of a client secret used in OAuth2 and OpenID Connect authentication flows.

public record ClientSecret : System.IEquatable<Abblix.Oidc.Server.Features.ClientInformation.ClientSecret>

Inheritance System.Object → ClientSecret

Implements System.IEquatable<ClientSecret>

Remarks

Client secrets are critical for the security of client applications, especially those that authenticate in a server-side context. This record stores hashed versions of the secret to enhance security by avoiding the storage of plain-text secrets. For client_secret_jwt authentication method, the raw value must also be stored to validate HMAC-signed JWTs.

Properties

ClientSecret.ExpiresAt Property

The expiration date and time for the client secret. Secrets past this date are considered invalid and cannot be used for authentication.

public System.Nullable<System.DateTimeOffset> ExpiresAt { get; init; }

Property Value

System.Nullable<System.DateTimeOffset>

Remarks

Setting an expiration date for client secrets is a best practice that helps mitigate the risk of secret compromise over time. It encourages regular rotation of secrets to maintain the security integrity of client applications.

ClientSecret.Sha256Hash Property

The SHA-256 hash of the client secret. This property is used to securely store and verify the secret without needing to store the plain text value.

public byte[]? Sha256Hash { get; init; }

Property Value

System.Byte[]

Remarks

The SHA-256 hash provides a secure way to handle client secrets, allowing for their verification during the authentication process without risking exposure.

ClientSecret.Sha512Hash Property

The SHA-512 hash of the client secret. This property offers an additional layer of security by using a stronger hashing algorithm compared to SHA-256.

public byte[]? Sha512Hash { get; init; }

Property Value

System.Byte[]

Remarks

SHA-512 hashes are more resistant to brute-force attacks due to their larger size and complexity. This property is optional and can be used in systems requiring heightened security measures.

ClientSecret.Value Property

The plain-text value of the client secret. This property is required for authentication methods that need the raw secret value, such as client_secret_jwt (which uses HMAC signatures).

public string? Value { get; init; }

Property Value

System.String

Remarks

While storing plain-text secrets poses security risks, some authentication methods like client_secret_jwt require access to the original value to create HMAC signatures for validation. This value should be stored securely and access should be restricted.