Rotate secret without downtime?

kristian_d · May 3, 2018, 12:22pm

Hi,

in this section: Rotate Client Secrets, it says that in order to avoid downtime we should support having two secrets in our code. I don’t understand how this would help.

As far as I can tell, there is no way to know the new secret before clicking the rotate button. When I do this, a new secret is generated and immediately activated and the old one is gone.
So there is no way to know the new secret in advance and as soon as it’s active, the old secret is invalid. Which means that I can’t start deploying before I have rotated it. That is stressful and even with a perfectly smooth deploy, it still takes some 15-20 minutes for us at the moment, during which people are unable to log in.

Is there a different way to go about this that I am not aware of?

Cheers,
Kristian

sgmeyer · May 3, 2018, 1:30pm

Hi @kristian_d,

You are right, when you use the rotate secret function in the dashboard you are not able to know the client_secret in advance. However, you could generate your own client_secret, update your applications with the second secret, and then use the Management API to update the client’s client_secret.

Using the Management API would allow you to know the client_secret in advance as you would be generating this your self and informing auth0 of that secret.

Here is the docs/endpoint for updating a client. In the body sample it shows how you can submit the request with a client_secret.

Shawn