use char[] instead of String for sensitive data

Question

use char[] instead of String for sensitive data

victorhua opened this issue 2 years ago · 3 comments

Describe the problem you'd like to have solved

We are trying to use char[] instead of String for handling sensitive data in code, such as clientSecret.
It seems the client sdk is using String. https://github.com/auth0/auth0-java/blob/master/src/main/java/com/auth0/client/auth/AuthAPI.java#L102
Is there any plan to move to char[] instead?

Describe the ideal solution

Alternatives and current work-arounds

Additional information, if any

Answer 1 · 2023-04-20T20:02:38.000Z

Maybe use CharSequence instead, so it is backwards compatible.

Answer 2 · 2023-05-02T01:49:42.000Z

Hi @victorhua, thanks for the info. This is a tricky one; I understand the request, but as a REST library ultimately values end up transmitted over the wire through an HTTP library, in this case, OkHttp. In certain cases we can serialize data ourselves and use char arrays, but not always. In the case of the client secret, for example, it may be sent as a x-www-form-urlencoded parameter, which will ultimately end up as being a String. There was a similar request to OkHttp itself, but ultimately it's not something that will be supported. So, even if we did accept the secret as a char array, at some point during the HTTP transfer it can end up as a String, thus not providing any real value.

Answer 3 · 2023-05-18T23:42:22.000Z

Yes, that is what I feel as well, closing.