Is it possible to have multiple app secrets?

I understand the solution (more of a workaround really), but I don’t think it will really work for many of our app owners. They use off-the-shelf libraries, like Spring Security, to handle the OIDC/OAuth2 flows to retrieve the id_token and access_token. In Spring Security I don’t see support for OAuth2 clients to have a list of secrets. So custom coding would be required of my app owners to do this key rotation, which seems like a big ask when some of our app owners are external clients.

https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/htmlsingle/#common-application-properties

Andrew

5 Likes