OIDC Secret in authentication.ps1 - Best Practice
Product: PowerShell Universal Version: 5.6.13
Hey all,
we have set up our Environment with OIDC to Entra ID which works without problems.
But the Secret appears in plain text in the authentication.ps1, which is kind of security risk in my opinion. I tried using it with a secret variable but this doesnt work.
Does anyone has a good solution for this?
Recommended Answer
We have support for secret variables with ClientSecret coming in 2026.1.3
Adam Driscoll
PowerShell Expert and Developer at Devolutions
All Comments (4)
We have support for secret variables with ClientSecret coming in 2026.1.3
Adam Driscoll
PowerShell Expert and Developer at Devolutions
Do you mean in the GUI? Because I’ve been hiding the OIDC shared secret in a PSU secret for a while now by just using it in the .ps1-file instead
In the GUI and it will make the Set-PSUAuthenticationMethod cmdlet a bit more intelligent to avoid having to write the PS1 file manually.
Adam Driscoll
PowerShell Expert and Developer at Devolutions
Similar to others I have this onfigured the same way, though I’ve minimised the risk by doing two things:
- Separated SSO Auth into it’s own App registration, I have a separate app reg for anything that requires to connect back to entra and requires additional permissions - this one only uses vault secrets in my scripts.
- Added authentication.ps1 to my .gitignore file to keep it out of the codebase.
With that being said, support for using proper secrets in 2026.1.3 will be greatly received