What Grafana version and what operating system are you using?
Version 9.x.x up to latest. I need the behaviour of all versions inbetween.
What are you trying to achieve?
I want to read out the client_secret from the generic_oauth configuration in clear text. (Grafana is self hosted)
How are you trying to achieve it?
I tried to view it in the Grafana UI and to fetch it using the Grafana API.
What happened?
I got the secret but blurred out.
What did you expect to happen?
I want to read it out in clear text without having to look into the grafana.ini.
If it is not possible please tell that right away. Or otherwise, is it safe to store a secret in there without the users being able to read it out even if they have the full admin privileges on the instance.
Correct, PKCE is not replacement for client credentials. It is different flow. Check OIDC/OAuth standard and you will see there is multiple flows, which suit for different needs.
I’m saying switch to different more suitable flow, where you don’t need client credentials - that’s exactly PKCE.
You have PKCE support in Grafana => you won’t need client credentials in Grafana config => not a problem with security of that client credentials
That depends on your security awareness. Config (client secret included) is saved in the repo in plaintext usually . That’s probably fine if you are working on 1 person project, but that is security antipattern in enteprise env.
