I have an application that needs to store secrets on behalf of the user. These secrets should be stored securely, but need to be decryptable when the user is present.
Ordinarily I would turn to password based keys (i.e. PBKDF2) to derive the key, however I also have to provide oAuth2 sign in capabilities (with Facebook and Google), which means I don't have a password that I can use to generate the key.
I have tried to find a unique, consistent and secret key that's returned from the oAuth2 providers, but I can't find one.
Are there any approaches that can combine the two? I suspect the answer is no, but wanted to ask just in case.
