|
|
|
|
|
|
by deidei
1225 days ago
|
|
|
Thanks for the help. So that two options that I was thinking about - Option A
1. My user creates an secure (with API keys or some other method) API endpoint to provide the Client secrets when I need them. 2. When my app needs to access the client secrets, I maker an API call to the users endpoint to get the Client Secret. Option B
1. 1. When user signs up, generate an encryption key and ask the user to save it securely. (With the warning that in case this key is lost, the user would have to configure the Client Secrets again) 2. Whenever the user makes an API call (over HTTPS ofc) that involves reading/writing sensitive data, require him to provide the encryption key as well. Which one is better? |
|
|
When does your SaaS initiate the connection to the other services? Autonomous at arbitrary times? Or does the user initiate the connection? In the latter case, your app can store the secrets like Browsers do. In the former case, and when your user can provide an always on endpoint to provide the secrets, your option A seems the best way. If not, you must store the secrets server side, but then you definitely should consult an appropriate security guy to make this as secure as possible.