Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better support for credential rotation #1675

Open
sgallag-insta opened this issue Oct 25, 2023 · 0 comments
Open

Better support for credential rotation #1675

sgallag-insta opened this issue Oct 25, 2023 · 0 comments

Comments

@sgallag-insta
Copy link

Right now credential rotation while using Doorkeeper seems a little cumbersome. From my POV, there are currently 2 major approaches that can be taken:

  1. Only the secret is rotated. This approach seems more elegant, but the major drawback here is that client applications cannot authenticate until they have updated their credentials in the code.
  2. The entire OAuth application is rotated. This allows for a grace period during which time new credentials can be added/tested while the old credentials remain active. However, this method is not without consequences. Assuming we do not purge all tokens during the rotation, if the client wants to revoke a token during the transition period, they may end up attempting to revoke a token created by a different OAuth application (not allowed). Also if anyone is using the oauth_application_id or uid for metrics they have to take this transition into account.

My suggestion/feature request here would be to add additional support for approach 1. Perhaps we could have an "old_secret" field that remains active for a period of time after the secret field is updated. Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant