privateKey for generating the token in fosite

[christiezhao-outreach]

hi everyone! in fosite, the initiation of the oauth2Provider takes in a secret and a private key.

I know the secret is used to sign access and refresh tokens as well as authorization codes but why do we need a private key and what are the use cases for it?

var oauth2Provider = compose.ComposeAllEnabled(config, storage, secret, privateKey)

Is the private key and the secret global or is it supposed to be generated every time the server starts? Would you recommend me create a global secret and private key that's the same in every Bentos and environment?

[vinckr]

Hello @christiezhao-outreach,
sorry that there has been no helpful answer so far. I dont know what the "right" answer here is, but my guess is it depends on your overall security architecture and threat models.
Feel free to also join the Ory Community chat, there you can hopefully find some Ory Fosite users willing to help out, provided you are still stuck on this issue.