Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello! Question regarding client credentials. If I have a central Hydra instance for our products, would there be any risk to providing end users of a self hosted service (one created by us, but deployed to our customer's infrastructure) a client ID/Secret?

Let's say for example I have a portal where all of these self hosted instances can register - this portal will handle the creation of the client through Hydra's admin API, and then pass along the client ID/Secret to the self hosted instance, where it would configure its OIDC to point at Hydra

Would there be any risk to that self hosted instance receiving a client secret (that anyone who has infrastructure access to that instance would be able to "sniff")?