Secret

Secrets are similar to passwords but auto-generated by the authorization server and of a certain minimum length. The main purpose is its use as a client secret for client authentication, though it could also be used by any account type other than a client.

Default Secret Policy

• minimum 43 characters length

• maximum 43 characters length

• no password expiration / no required password change

Secrets are case-sensitive.

The default maximum failed attempts before the factor gets temporarily disabled is 5. The factor will auto-unlock after 300 seconds (5 minutes). The counter resets to 0 on each successful login.

Secrets are stored hashed (Argon2id).

Signup

To enroll a secret factor, optionally a label (label parameter) is provided. The secret value itself is auto-generated by the Quasr service.

Signup with secret factor

POST https://{tenant_id}.api.quasr.io/factors/signup

Request Body

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment id>",
    "generated_input": "<generated secret>" // in case no input is provided
  }
}

Login

To validate a secret factor, the actual secret (input parameter) is provided.

Validating an secret factor

POST https://{tenant_id}.api.quasr.io/factors/login

Request Body

{
  "result": "FAILED",
  "feedback": {
    "cause": "INCORRECT_INPUT",
  }
}

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment_id>"
  },
  "session_token": "<session_token>",
  "account_id": "<account_id>",
  "session_score": <session_score>,
  "session_exp": <session_expiration> // epoch in seconds (not ms)
}

Factor Creation & Configuration

A Password factor is already available for all newly created tenants by default, however, if you want to add additional password factors, you can do so via Tenant Administration UI or Admin API.

The Password Factor allows for the following parameters and config options:

The following API sample calls create an Secret factor labelled "Client Secret" with a score of 6.

GraphQL Example

// GraphQL Query (Sample)
mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}

// GraphQL Variables (Sample)
{
  "input": {
    "subtype": "secret:password",
    "label": "Client Secret",
    "status": "ENABLED",
    "score": 6
  }
}

// Response (Sample)
{
    "data": {
        "createFactor": {
            "id": "8bde5565-7027-4232-8db8-3f3ca1acaeac"
        }
    }
}

Node.js Example

var axios = require('axios');
var data = JSON.stringify({
  query: `mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}`,
  variables: {
    "input": {
      "subtype": "secret:password",
      "label": "Client Secret",
      "status": "ENABLED",
      "score": 6
    }
  }
});

var config = {
  method: 'post',
  url: 'https://api.quasr.io/graphql',
  headers: { 
    'Authorization': 'Bearer {access_token}', 
    'Content-Type': 'application/json'
  },
  data : data
};

axios(config)
.then(function (response) {
  console.log(JSON.stringify(response.data));
})
.catch(function (error) {
  console.log(error);
});

Recommended Password Managers

Secrets should be long and complex, which makes them hard or impossible to remember. The use of a password manager is recommended to keep them safe. Here is a list of password managers that we can recommend (Quasr has no affiliation with these vendors).

• KeepassXC (Open Source)

• Bitwarden (Open Source)

• 1Password

• Lastpass

• Google Password Manager

Additional Resources

• OWASP Password Storage Recommendation

• NIST Password Recommendations

• Summary of 2021 NIST Password Recommendations