Support for client secret rotation

[sagarshah1983]

Apple Health Integration requires OAuth Client secret to be rotated at regular intervals for security. During this rotation timeframe, old and new secret both should be functional for some time. At some point (configurable), old client secrets would stop working and only new client secret would work thereafter until secrets get rotated again.
On rotation, clients should be able to refresh token with and old and new password (while both are valid).

Is this something that can be supported in Ory Hydra?

[vinckr]

Hello @sagarshah1983
Is this what you are looking for:
#2827
?
Also see this longer discussion on the feature:
#1831

🧇

[sagarshah1983]

Thanks for sharing these. Its more similar to this issue that I could find on the board - #1712
As it's not just related to refresh token flow but also authorization code flow.
Purpose is to rotate the client secret for an existing client such that old and new secret both work for some time in parallel and after some point (configurable time) old secrets stops working and only new secret works fine for refresh token as well as new authorization flows.
Does that make sense?

[vinckr]

It makes sense, how long would the intervals be in your case? And how often do you have to rotate?

Judging from this comment: #1712 (comment) this would be possible in Fosite and thus can be implemented into Hydra.

[sagarshah1983]

Thanks @vinckr for comments. We are looking to keep old secrets valid for a week (preferred as configurable time unit) and rotation may be requested on demand by way of API call or so. Does that make sense?

[woylie]

Just chiming in to say that I'd also like to see this feature. I'm seeing two options:

1. automatically retire the old secret after a configured period (as described above)
2. explicitly retire the old secret using the CLI or HTTP API

As for 2, I'd imagine you'd have the option to add up to two client secrets for a client and remove any one of them at any time. This is how Okta handles it: https://developer.okta.com/docs/guides/client-secret-rotation-key/main/#rotate-a-client-secret

[vinckr]

Hey @woylie, @sagarshah1983
would you be willing to open a feature request at ory/hydra, I think we would definitely consider implementing that if there is a good use case for it and demand from the community.
I marked this as answered for now, but please feel free to come back to this discussion anytime.

[sagarshah1983]

Thanks @vinckr - Based on your suggestons, I have created #3443

[apexskier]

Given fosite supports client secret rotation (ory/fosite#608), this seems technically possible in hydra.

[apexskier]

That doesn't solve the original problem presented in this discussion, as it requires downtime while the two systems (Hydra and the RP) are being updated independently.

[vinckr]

Nevermind, that was a bogus suggestion 😓