The private key JWT solution suggested in this thread cannot be used in most third party libraries as far as I know for using OpenId Connect (M2M clients you roll yourself can of course do it easily).
I’d be happy when Auth0 can provide a way to implement secret rotation without downtime, for example in this sample: GitHub - auth0-samples/auth0-aspnetcore-mvc-samples: Auth0 Integration Samples for ASP.NET Core MVC Web Applications, as there’s no way to implement a fallback functionality, or private JWT key signing, in the OpenId Connect library used there. Supporting multiple secrets to be valid at the same time seems like a quite simple solution to this and would work for any OpenId Connect library…
I was to be honest very surprised when we started using Auth0 about two years ago that a good way to implement secret rotation wasn’t there from the start. And now that all this time has passed and it’s been brought up in various threads here it’s still not implemented. I assume there’s things in the Auth0 infrastructure that makes this functionality to be more complex to implement than it looks on the surface given the time that has passed, but I think you really should prioritize it high given all the downsides of forcing your customers (us) to keep the secrets static over time.
It is to be honest a bit weird that this item is deemed “roadmap candidate” and not already on the actual roadmap as being a core security feature to be able to rotate secrets without breaking the application (which most likely means that no-one is actually rotating secrets).
Has this status been changed and added to the roadmap yet?
We have this on our roadmap as Zero Downtime Rotation for client secret - EA which is currently targeted for SEP 2025 (please don’t read this as an ETA)
Does this product still has a Development team? Looks like the last release was June 6 2022. The most requested feature is on a roadmap for Sep 2025. Is this product being abandoned to the profit of Okta which has release every months?
It is shocking that industry-leader Auth0 doesn’t support multiple certificates, or some other strategy for seamless certificate rotations.
Coordinating an after-hours or weekend phone call with each customer every year is expensive, annoying, and error prone. We had one last night that went sideways due to a simple copy-paste error. We had to roll back quickly and reschedule another (after hours) appointment with the customer to try again with the corrected certificate.
Supporting multiple certificates has the potential of easing all that scheduling/downtime pain, AND provide a safe proving ground for new certificates’ accuracy and validity.