HSMs & similar can at least time-limit access to secrets to the period where an attacker can make requests to the HSM.

I think the problem is the way we are using these "secrets" services traditionally. The requesting process/machine should NEVER see the Oauth client secret. The short-lived session token should be the only piece of data the server/client are ever privy too.

The service that encrypts the data should be the ONLY service that holds the private key to decrypt, and therefore the only service that can process the decrypted data.

	▲	oasisbob 8 hours ago \| parent [-]
		The service wouldn't have access to the refresh token? How does authentication with the client-secret-holding intermediary work? It's easy to see how this would work with sufficiently sophisticated clients in some use-cases, say via a vault plugin, but posing this as a universal necessity feels like a big departure from typical oauth flows, and the added complexity could be harmful depending on what home-grown solutions are used to implement it.