Home > Software design >  Should Client Secret for oAuth be rotated?
Should Client Secret for oAuth be rotated?

Time:01-16

For oAuth, we need a Client Id and Client Secret to generate the authentication tokens. Now I have couple of questions on this:

  • Can the two values only be used for the application against which those are generated, meaning are those mapped to a single application only? If I share those credentials, can any other application use those?

  • What is the general recommendation or practice, do we need to rotate the Client Secret (and/or Client Id)?

CodePudding user response:

Here are the answers of your question:

  1. Yes, These credentials can only be used the against the application it is generated. In fact, Client_id is the key to identify that application. You can always use these credentials for multiple apps. You can compare client_id & client_secret with username & password. There can be only user entity behind a username & password. Similarly only one application is mapped to client_id & client_secret.

  2. You don't need to rotate. but client_secret has expiry date which differs in various identity providers. So the best practices are to store it securely & regenerate/update before it expires.

Take a look on this article for more insights: https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

Page link:https//www.codepudding.com/Softwaredesign/673383.html

Prev:Create a default guest user on flask run
Next:Looking for a better way to authenticate Google Cloud Function with a service account. Right now I&#
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding