A client secret is a confidential key that communicates with the authorization server. A client secret example: 1912308468823890
You can rotate your client secret to issue a refresh token and invalidate the previous token. This rotation adds an additional layer of security.
Consider these refresh token behaviors:
- Non-rotatable — Has no token usage limits, since they never expire.
- Rotatable — Has token usage limits.
- Has a fixed lifetime.
- Can only be used once during its defined lifetime.
- The refresh token becomes invalid if you fail to generate the next rotatable refresh token.
For example:
- Set lifetime to 10 minutes.
- Complete your authentication, generate an access token, and refresh token 'A'.
- After five minutes, use refresh token A to generate a new access token, and refresh token B.
- After seven minutes, use refresh token B to obtain a fresh access token. You receive an error that token B has expired. This is because its lifespan is calculated from the time A was generated.
To rotate the client secret:
- Select Administration from the top-left navigation menu.
- Select Security > OAuth Clients.
- Select an OAuth 2.0 client from your list.
The right-side panel opens. - Select Rotate next to the Client secret in the right-side panel.
The Rotate client secret dialog displays. - Select Rotate client secret in the Rotate client secret dialog.
- To change the Refresh token behavior, and select a behavior in the right-side panel:
- Non-rotatable
- Rotatable
- To change the Refresh token lifetime, enter a new value in the field in the right-side panel.
Note: A 12-hour token would take 43,200 seconds as it's default value. The maximum is 365 days for a token to remain valid. Consult your company's security policies regarding this.
- Select Save.
