Securing OAuth Tokens using Summon

I’m building something in Python using Flask right now and need to OAuth to another service to user private data. I’m using Summon to deliver the Client ID & Secret as environment variables to Python when running the server. I need to handle the OAuth, so I’m sending the user to Spotify’s website to authorize their user data and I receive a code back. I then immediately send the code back to Spotify and get my access token. I then set it as an environment variable for use in the web app.

What I found was that if I had included the access token environment variable name in my secrets.yml file with a bogus value, when I eventually set the access token env var to the actual OAuth token, it’s set only in the Python environment… not on the host… since that was one of the environment variables owned by Summon’s process. Thought that was pretty cool…

When Summon provides a process environment a variable, it can be changed and will remain only in the environment. So tokens generated after init can still be secured.


This is awesome! I love the idea that you can keep an environment variable so its value is only visible to the subprocess just by including it in secrets.yml

Do you even need to provide a value for it in secrets.yml, or can you just leave it blank?

Thanks @izgerij!

It would appear that you can just NOT set a value and it’ll work all the same!

1 Like