Secret

Secrets are similar to passwords but auto-generated by the authorization server and of a certain minimum length. The main purpose is its use as a client secret for client authentication, though it could also be used by any account type other than a client.

Default Secret Policy

• minimum 43 characters length

• maximum 43 characters length

• no password expiration / no required password change

Secrets are case-sensitive.

The default maximum failed attempts before the factor gets temporarily disabled is 5. The factor will auto-unlock after 300 seconds (5 minutes). The counter resets to 0 on each successful login.

Secrets are stored hashed (Argon2id).

Signup

To enroll a secret factor, optionally a label (label parameter) is provided. The secret value itself is auto-generated by the Quasr service.

Signup with secret factor

POST https://{tenant_id}.api.quasr.io/factors/signup

Request Body

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment id>",
    "generated_input": "<generated secret>" // in case no input is provided
  }
}

Login

To validate a secret factor, the actual secret (input parameter) is provided.

Validating an secret factor

POST https://{tenant_id}.api.quasr.io/factors/login

Request Body

{
  "result": "FAILED",
  "feedback": {
    "cause": "INCORRECT_INPUT",
  }
}

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment_id>"
  },
  "session_token": "<session_token>",
  "account_id": "<account_id>",
  "session_score": <session_score>,
  "session_exp": <session_expiration> // epoch in seconds (not ms)
}

Factor Creation & Configuration

The Password Factor allows for the following parameters and config options:

The following API sample calls create an Secret factor labelled "Client Secret" with a score of 6.

GraphQL Example

// GraphQL Query (Sample)
mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}

// GraphQL Variables (Sample)
{
  "input": {
    "subtype": "secret:password",
    "label": "Client Secret",
    "status": "ENABLED",
    "score": 6
  }
}

// Response (Sample)
{
    "data": {
        "createFactor": {
            "id": "8bde5565-7027-4232-8db8-3f3ca1acaeac"
        }
    }
}

Node.js Example

var axios = require('axios');
var data = JSON.stringify({
  query: `mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}`,
  variables: {
    "input": {
      "subtype": "secret:password",
      "label": "Client Secret",
      "status": "ENABLED",
      "score": 6
    }
  }
});

var config = {
  method: 'post',
  url: 'https://api.quasr.io/graphql',
  headers: { 
    'Authorization': 'Bearer {access_token}', 
    'Content-Type': 'application/json'
  },
  data : data
};

axios(config)
.then(function (response) {
  console.log(JSON.stringify(response.data));
})
.catch(function (error) {
  console.log(error);
});

Recommended Password Managers

Secrets should be long and complex, which makes them hard or impossible to remember. The use of a password manager is recommended to keep them safe. Here is a list of password managers that we can recommend (Quasr has no affiliation with these vendors).

Additional Resources