| ▲ | zimbatm 5 hours ago | |
This is how keychains should be designed. Never return the secret, but mint a new token, or sign a request. We need this also for normal usage like development environments. Or when invoking a command on a remote server. Are you going to add support for services that don't support OIDC or this going to be a known limitation? | ||
| ▲ | mc-serious 4 hours ago | parent [-] | |
Yes, that’s the ideal model. For services with OAuth/OIDC/token exchange support, we want to mint short-lived delegated creds instead of returning the underlying secret. For services that don’t support that, we don’t want them to be unsupported entirely. But they’re a weaker security tier: you can still improve custody/rotation/auditability, just not get the full “agent never sees the real secret” property without a proxy/broker/signing layer. | ||