Hello, we have an application that needs to fetch a client secret before it can communicate with a 3rd party integration. We’d like some form of app-level authorization rather than human-operator auth. Initially it looked like AppRole Auth Method would have been a good fit but, on reflection, it seems to be an admin API rather than an end-user API. The other issue was that it requires a client secret itself (a chicken and egg scenario). There is a way to turn off the requirement of the client secret but this essentially removes all security from the integration.
Is there a plugin or mechanisim that could allow app-level access and utilise an attestation service such as Apple Device Check, Google SafetyNet or Firebase App Check? If there isn’t one today, what would it take to create one in Vault? Such an app-level authorisation and attestation plugin would negate the need for an initial client secret and enable many applications to securely integrate with Vault. Happy to talk further about this use-case.