Client secret rotation
Overview
Client secret rotation allows cidaas administrators to create a new client secret for an application. An app may hold two active secrets during the transition phase to ensure secure rotation.
Prerequisites
Before rotating a client secret, ensure:
- You have admin access to the cidaas Admin UI.
- The application already has at least one active client secret.
- You know the expiration date of the old secret.
Conditions for rotation
- Client secrets cannot be modified after creation.
- The old secret must have an expiration date of at least three months from today.
- The new secret may have no expiration date ("Never expire").
- New secrets may have an expiration date greater than today.
OAuth2 standard details
The following parameters come from the OAuth2 and OpenID Connect specifications.
| Key | Description | Example |
|---|---|---|
| client_secret | OPTIONAL. A unique secret assigned to a confidential client. Must not be reused for multiple clients. Used for token endpoint authentication (OAuth 2.0 §2.3.1) and for symmetric encryption key derivation (OIDC Core §10.2). | – |
| client_secret_expires_at | REQUIRED if a client secret is issued. Indicates the expiration timestamp in seconds since 1970-01-01T00:00:00Z (UTC). A value of 0 means it never expires. | 1672947389922 |
| client_secret_issued_at | REQUIRED if a secret is issued. Defines the creation timestamp in seconds since 1970-01-01T00:00:00Z. Automatically assigned by cidaas. | 1672947389922 |
APIs
Client secret APIs
| API | Description | Link |
|---|---|---|
| Create client secret | Creates a new client secret. cidaas requires the expiration date for both the old and new secrets. | View API |
| Delete client secret | Deletes the old client secret. You must provide the old secret value. | View API |
KID rotation (AppKey rotation)
AppKey rotation ensures secure management of private keys by assigning unique Key IDs (KIDs).
If one key is compromised, only that key is affected, keeping other applications protected.
cidaas provides an API to rotate AppKeys securely.
| API | Description | Link |
|---|---|---|
| Rotate app keys | Updates the app with a new client ID and app key. | View API |
Need help?
For assistance, visit our Support Portal.