Support multiple client secrets and secret rotation

[sagarshah1983]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

From security standpoint, we generally see a use-case where we may have to rotate client secret (regularly), but this brings in an impact to the client and force the client to start using new secret to avoid errors or downtime for their users.

In single sentence, I am proposing for a feature that can allow OIDC to authenticate client using new as well as old secret (for some time at least) giving enough time to the client to rotate password/secret used during authentication/authorization workflows.

I don't think, if we want to have a policy managing the rotation (that defines the timeframe for rotating secrets) also managed from within Hydra. That can still be managed outside of hydra.

Describe your ideal solution

Ideal Solution would be to

• Support client authentication with new as well old secret.
• Old secret can be still considered valid for some timeframe (preferably configurable at client level).
• Retire old secret on demand using Admin API

Workarounds or alternatives

Only option we have now is to notify the client that they need to enforce the password/secret change and implement that in their app

Version

1.10.5

Additional Context

This feature has been requested based on this original ticket #3005.

[zepatrik]

Closing as duplicate of #1712