Is there any way to disable these entirely? They represent a fairly significant potential security concern if ever leaked since they can’t be easily changed, and since there’s only one pair it’s difficult to coordinate rotation.
I’ve been instructed in the past that it’s possible to change the global secret via the API itself, but at the time this resulted in users credentials being invalidated. I’d rather disable the feature entirely and fall back to individual client IDs.
To my knowledge it’s not possible to disable the availability of the global client information through configuration; like you mentioned, this has the side-effect that it implies the existence of the equivalent to an API key that could be used on legacy management API’s.
Having said that, I’m also not aware of any particular feature that, given the existence of alternatives, forces you to have the client secret within your own applications (again, as you mentioned this exists mostly for legacy reasons) so this kind of negates the issue of leaks as the secret is only available at one place; within the Auth0 service, where all the other sensitive data is also located.
With this in mind your best course of action for now is to not rely on it and not make it available elsewhere; it’s still true that every dashboard admin can access it, but administrators already have full control over the account so if you don’t trust them you’ll have bigger issues.
I added a reply with the current state of thing in relations to the possibility of disabling it; which is not available. In relation to the change of the global client secret I though this would have to go through support. Would having a self-service option for rotating the global client secret without any of the side-effects you mentioned help you address your concerns?