I’m building something in Python using Flask right now and need to OAuth to another service to user private data. I’m using Summon to deliver the Client ID & Secret as environment variables to Python when running the server. I need to handle the OAuth, so I’m sending the user to Spotify’s website to authorize their user data and I receive a code back. I then immediately send the code back to Spotify and get my access token. I then set it as an environment variable for use in the web app.
What I found was that if I had included the access token environment variable name in my secrets.yml file with a bogus value, when I eventually set the access token env var to the actual OAuth token, it’s set only in the Python environment… not on the host… since that was one of the environment variables owned by Summon’s process. Thought that was pretty cool…
TL;DR
When Summon provides a process environment a variable, it can be changed and will remain only in the environment. So tokens generated after init can still be secured.
