I've seen (or I think I've seen) other OAuth provider implementations that don't hash the client secret. Is this something that's within the spec, or is it done here for extra security?

The spec essentially says they should be treated with the same care as passwords. I'm actually looking at trying to make the protection provided by OAuth2::Provider stronger.

I know a lot of OAuth providers let you get the client secret at any time, but I consider this an antipattern.

Cool, good to know. Thanks for publishing this, it's been really useful.

(Apologies if there's a mailing list that's better for questions like this)

If the client_secret is immediately hashed, how does the provider give it to the person who just created the client?

When the Client instance is created, the secret is held in memory as an instance variable on the model object, allowing the app to retrieve it and display it in the response. Once that object is garbage-collected, the secret is lost and only the hash remains in the database.

Got it, thanks again!