Rotate OAuth Client Secret

oauth
api

#1

We were looking to rotate our client id and secret and wanted to know if existing tokens (auth and refresh) with work across valid client ids. Also, if we deactivate the old app once our app is using the new keys, will keys created on the old app still work & refresh?

Is there a way to migrate existing auths across client ids?

Thanks!


#2

A users access_token will only work with the consumer key it was generated with. Once you deactivate an old consumer key the user access_tokens generated by it will stop working.

The general approach is to follow is to have all current user’s access_tokens associated with consumer key A. Once you deploy a new consumer key B all new authentications will use that and their new acces_tokens will overwrite the old ones and be associated with consumer key B. When doing work in the background you will have to make sure the consumer key associated with the acting user gets used.

User’s will naturally migrate to the new consumer key as they authenticate with your app. As you get closer to wanting to deactivate the old consumer key you can start reseting users authentication so they have to login again. Eventually you’ll have to just disable the old key and users won’t be able to do anything until they reauthorize.


#3

Got it! It sounds like your method (using a new key and secret) requires the users to re-auth, correct? We’re hoping to avoid that.

Ideally there’d be a way to regenerate the consumer secret and have users not experience anything more than a temporary outage while our app is updated to use the new values. Is something like that possible?


#4

No. Each user will have to go through the OAuth flow to get on the new consumer key. This is why you would run both keys concurrently for a while. The old key keeps working but users migrate to the new key as they naturally authenticate your app.


#5

I understand. That’s a disappointing answer, seeing as most services we work with have an ability to rotate secrets with minimal user impact. Nevertheless, we’ll figure something out. Thanks for your responses!