We are setting up SaaS server-to-server auth solution using AWS Cognito + API Gateway using oAuth2 Client credentials flow.
And one thing is totally bugging me - I can access App client secret in plain text.
Since we would be sharing these credentials with actual clients, having secrets in pain text does not look like a good idea. Just like storing passwords in pain text. At max I would expect to be able to access these credentials only during client creation process.
I'm I missing something?
