feat: Docs for client secret rotation #2424
Open
+131
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SamuelDev
requested review from
aeneasr,
piotrmsc,
unatasha8,
vinckr and
zepatrik
as code owners
SamuelDev
force-pushed
the
client-secret-rotation-docs
branch
from
068aa3d to
5e927b3
Compare
7 tasks
Author
|
Javascript integration test failure seems like a CI issue and unrelated to these changes |
Contributor
|
@wassimoo @unatasha8 would you kindly take a look at this pls? |
vinckr
force-pushed
the
client-secret-rotation-docs
branch
from
19afb45 to
29299a0
Compare
vinckr
reviewed
Feb 11, 2026
Member
vinckr
left a comment
vinckr
left a comment
There was a problem hiding this comment.
lgtm :) fixed some layout issues
unatasha8
reviewed
Feb 12, 2026
| ## Rotate OAuth2 client secret | ||
|
|
||
| OAuth2 client secret rotation allows you to change a client's secret without downtime. When you rotate a secret, the old secret | ||
| remains valid until you explicitly clean it up, allowing you to update all services using the client credentials without service |
Contributor
There was a problem hiding this comment.
Suggested change
| remains valid until you explicitly clean it up, allowing you to update all services using the client credentials without service | |
| remains valid until you remove it, allowing you to update all your services without service |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| ##### How secret rotation works | ||
|
|
||
| 1. Rotate the secret: Generate a new secret for the client |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Rotate the secret: Generate a new secret for the client | |
| 1. Generate a new secret for the client service |
unatasha8
reviewed
Feb 12, 2026
| ##### How secret rotation works | ||
|
|
||
| 1. Rotate the secret: Generate a new secret for the client | ||
| 2. Both secrets work: Old and new secrets both authenticate until cleanup |
Contributor
unatasha8
reviewed
Feb 12, 2026
|
|
||
| 1. Rotate the secret: Generate a new secret for the client | ||
| 2. Both secrets work: Old and new secrets both authenticate until cleanup | ||
| 3. Update services: Update your applications to use the new secret |
Contributor
There was a problem hiding this comment.
Suggested change
| 3. Update services: Update your applications to use the new secret | |
| 3. Update your client services to use the new secret |
unatasha8
reviewed
Feb 12, 2026
| 1. Rotate the secret: Generate a new secret for the client | ||
| 2. Both secrets work: Old and new secrets both authenticate until cleanup | ||
| 3. Update services: Update your applications to use the new secret | ||
| 4. Cleanup: Manually remove old rotated secrets once all services are updated |
Contributor
There was a problem hiding this comment.
Suggested change
| 4. Cleanup: Manually remove old rotated secrets once all services are updated | |
| 4. After you test the client services can authenticate with the new secret, manually remove the old secret. |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| ##### Clear rotated secrets | ||
|
|
||
| Once all services have been updated to use the new secret, you can remove the old rotated secrets to revoke access using the old |
Contributor
There was a problem hiding this comment.
Suggested change
| Once all services have been updated to use the new secret, you can remove the old rotated secrets to revoke access using the old | |
| Once all services are updated to use the new secret, remove the old secret to revoke access using the old |
unatasha8
reviewed
Feb 12, 2026
| ##### Clear rotated secrets | ||
|
|
||
| Once all services have been updated to use the new secret, you can remove the old rotated secrets to revoke access using the old | ||
| credentials: |
Contributor
There was a problem hiding this comment.
Suggested change
| credentials: | |
| secret: |
unatasha8
reviewed
Feb 12, 2026
| -H "Authorization: Bearer ory_pat_..." | ||
| ``` | ||
|
|
||
| After cleanup, only the current secret will be valid. Old secrets will no longer authenticate. |
Contributor
There was a problem hiding this comment.
Suggested change
| After cleanup, only the current secret will be valid. Old secrets will no longer authenticate. | |
| After removing the old secret, only the current (new) secret is valid. The old secret can no longer authenticate. |
unatasha8
reviewed
Feb 12, 2026
| id: clientId | ||
| }) | ||
|
|
||
| // Old secrets are now revoked |
Contributor
There was a problem hiding this comment.
Suggested change
| // Old secrets are now revoked | |
| // Old secret is now revoked. |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| echo "New secret: $NEW_SECRET" | ||
|
|
||
| # 3. Update your applications with the new secret |
Contributor
There was a problem hiding this comment.
Suggested change
| # 3. Update your applications with the new secret | |
| # 3. Update your client servcies with the new secret |
unatasha8
reviewed
Feb 12, 2026
| -u "$CLIENT_ID:$NEW_SECRET" \ | ||
| -d "grant_type=client_credentials" | ||
|
|
||
| # 5. Once all services are updated, clean up old secrets |
Contributor
There was a problem hiding this comment.
Suggested change
| # 5. Once all services are updated, clean up old secrets | |
| # 5. Once all client services are updated, remove the old secret |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| :::tip Zero-downtime credential rotation | ||
|
|
||
| Secret rotation enables zero-downtime credential updates. Both the old and new secrets remain valid until you manually clean up |
Contributor
There was a problem hiding this comment.
Suggested change
| Secret rotation enables zero-downtime credential updates. Both the old and new secrets remain valid until you manually clean up | |
| Secret rotation enables zero-downtime credential updates. Both the old and new secrets remain valid until you manually remove |
unatasha8
reviewed
Feb 12, 2026
| :::tip Zero-downtime credential rotation | ||
|
|
||
| Secret rotation enables zero-downtime credential updates. Both the old and new secrets remain valid until you manually clean up | ||
| the rotated secrets, allowing you to update all your services without service interruption. |
Contributor
There was a problem hiding this comment.
Suggested change
| the rotated secrets, allowing you to update all your services without service interruption. | |
| the old secret, allowing you to update all your client services without service interruption. |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| :::warning Security best practice | ||
|
|
||
| Rotated secrets remain valid indefinitely until you explicitly clean them up. Always remove old rotated secrets once your |
Contributor
There was a problem hiding this comment.
Suggested change
| Rotated secrets remain valid indefinitely until you explicitly clean them up. Always remove old rotated secrets once your | |
| Secrets remain valid indefinitely until you explicitly remove them. Always remove old secrets once your |
unatasha8
reviewed
Feb 12, 2026
| :::warning Security best practice | ||
|
|
||
| Rotated secrets remain valid indefinitely until you explicitly clean them up. Always remove old rotated secrets once your | ||
| migration is complete to ensure that compromised credentials cannot be used. |
Contributor
There was a problem hiding this comment.
Suggested change
| migration is complete to ensure that compromised credentials cannot be used. | |
| secret rotation process is complete to ensure that compromised credentials cannot be used. |
unatasha8
reviewed
Feb 12, 2026
|
|
||
| :::warning Security best practice | ||
|
|
||
| Rotated secrets remain valid indefinitely until you explicitly clean them up. Always remove old rotated secrets once your |
Contributor
There was a problem hiding this comment.
"secrets remain valid indefinitely" Are you sure? Don't they have a validity date?
Deepak just added this feature: "The SAML connection includes a valid_to attribute, which is an array of expiry dates for the signing certificates associated". This might not directly link to your code as it's for SAML... but wanted to point it out to you.
unatasha8
reviewed
Feb 12, 2026
| 3. Update services: Update your applications to use the new secret | ||
| 4. Cleanup: Manually remove old rotated secrets once all services are updated | ||
|
|
||
| ##### Rotate client secret |
Contributor
There was a problem hiding this comment.
Suggested change
| ##### Rotate client secret | |
| ##### Rotate OAuth2 client secret |
unatasha8
reviewed
Feb 12, 2026
| -H "Authorization: Bearer ory_pat_..." | ||
| ``` | ||
|
|
||
| The response includes the new `client_secret`. Save this value immediately - it will not be shown again. |
Contributor
There was a problem hiding this comment.
Where should this be saved? Is there a secure location it should be saved to?
unatasha8
reviewed
Feb 12, 2026
| </Tabs> | ||
| ```` | ||
|
|
||
| ##### Clear rotated secrets |
Contributor
There was a problem hiding this comment.
Suggested change
| ##### Clear rotated secrets | |
| ##### Remove old secret |
unatasha8
requested changes
Feb 12, 2026
Contributor
unatasha8
left a comment
unatasha8
left a comment
There was a problem hiding this comment.
In general, keep to singular for 'secret' if the process is one at a time. Pick one to use client(s), client service(s), service(s), application(s) etc. I tried to change all to client services.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related Issue or Design Document
Docs updates for client secret rotation
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.com) from the maintainers to push the changes.
Further comments