Can you please clarify further with regards to service accounts? Currently available credentials for service accounts are “API token” and “OAuth 2.0”, but in this case the “OAuth 2.0” is not the usual redirect flow, but just cliend_id/client_secret. So - on one hand, the API token should not be used. But on the other hand instead of “service account id + token” we can store “client id + client secret”, which are nominally called “OAuth 2.0”, but are basically the same thing as token behind the scenes. Where does this usage fall? If storing the “OAuth 2.0 kind-of-not-token” is allowed, then what exactly is the difference in security concern/blast radius between service account’s two credential types? And if it is not allowed, does that mean that apps can’t use service accounts at all, as we don’t have access to the credentials?
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.