I wanted to build an Oauth v2 login system. I was given a client_secret which was meant not to be disclosed. Since the project is Open Source how should I hide the client_secret from others. Is there a system through which only the original creator has access to these sensitive data ?
Also is it advisable to save Auth token in backend file and use a function to call it? Does does method has any security issues?
My project is on JS, React and node if it helps.
The easiest way would be to create a configuration file that is read by your project at start-up. This configuration file will not be included in the source code repository, only a example version that does not contain the client_secret.
Furthermore add a readme file describing where and how to get the client_secret and how to make a working configuration file.