Menu
I have an application that needs to store secrets on behalf of the user. These secrets should be stored securely, but need to be decryptable when the user is present.
Ordinarily I would turn to password based keys (i.e. PBKDF2) to derive the key, however I also have to provide oAuth2 sign in capabilities (with Facebook and Google), which means I don't have a password that I can use to generate the key.
I have tried to find a unique, consistent and secret key that's returned from the oAuth2 providers, but I can't find one.
Are there any approaches that can combine the two? I suspect the answer is no, but wanted to ask just in case.
243
asked Jan 18 '26 21:01
I think in this case, the only option is likely to have the user provide a decryption password specific to your environment in addition to their logon. Even if you found some piece of information that was secret and available in all oAuth providers, you would have the issue that the value would not be unique to your application and the key could be derived by other services, which would be bad.
Having the user provide additional information seems to be the only option.
69
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
