I was looking through AppRole based auth, and while it seems mostly secure enough, I was wondering why it isn’t recommended to use an implicit auth-based system for App auth instead.

For example, let’s imagine a server was hosted at xyz .com. If it needed some secret from vault, it would tell vault “hey my App Id is X and I need the secret /secret/servers/xyz/s1” and vault would send the data at some pre-configured callback location “xyz .com /callback”.

This way, the authentication/authorization is just set up beforehand and there’s no risk of leaked credentials.

Is there something I’m missing from a security perspective? Or maybe there is a way to do this that I missed?

Thanks a bunch for the help,
Vaishnav

Edit: sorry for the accidental hyperlinks in the examples. please ignore the spaces in the links haha.