When registering an application in Auth0, it seems only a single client secret can be associated with the registered app. That makes secret rotation tricky.
I see there is a feature to rotate secrets but it immediately invalidates the old secret. This makes it difficult for our app owners to rotate secrets with no downtime. Asking app owners to use two secrets in their code seems like an inelegant solution. Instead I’d rather keep the old secret alive for an arbitrary amount of time. I know competing systems like Azure App Registration supports multiple active secrets. Is there an equivalent here?
2 Likes
Hi @andrew.schoewe,
Welcome to the Auth0 Community!
Typically we recommend storing the old and new secrets and using the new secret as a fallback when the old secret fails. I linked a doc below that touches on our recommended best practice for rotating your client secrets and minimizing downtime.
Let me know if this helps solve your issue or if you have any questions.
Thanks,
Dan
I understand the solution (more of a workaround really), but I don’t think it will really work for many of our app owners. They use off-the-shelf libraries, like Spring Security, to handle the OIDC/OAuth2 flows to retrieve the id_token and access_token. In Spring Security I don’t see support for OAuth2 clients to have a list of secrets. So custom coding would be required of my app owners to do this key rotation, which seems like a big ask when some of our app owners are external clients.
https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/#common-application-properties
Andrew
4 Likes