|
|
|
|
|
|
by mharig
1227 days ago
|
|
|
If I understand correctly, option B makes not much sense. If your user can provide an encryption key, he can as well provide the token or whatever directly. When does your SaaS initiate the connection to the other services? Autonomous at arbitrary times? Or does the user initiate the connection?
In the latter case, your app can store the secrets like Browsers do.
In the former case, and when your user can provide an always on endpoint to provide the secrets, your option A seems the best way.
If not, you must store the secrets server side, but then you definitely should consult an appropriate security guy to make this as secure as possible. |
|
|
Yeah that makes sense, thanks for pointing that out. I'm just brainstorming at this point and will consult a security person before going to prod. Thanks for your pointers!