keycloak-scim/server_admin/topics/clients/oidc/proc-secret-rotation.adoc

[id="proc-secret-rotation_{context}"]

[[_proc-secret-rotation]]

= Creating an OIDC Client Secret Rotation Policy
[role="_abstract"]

The following is an example of defining a secret rotation policy:

.Procedure
. Click *Realm Settings* in the menu.

. Click *Client Policies* tab.

. On the *Profiles* page, click *Create client profile*.
+
.Create a profile
image:images/create-oidc-client-profile.png[Create Client Profile]

. Enter any name for *Name*.

. Enter a description that helps you identify the purpose of the profile for *Description*.

. Click *Save*.
+
This action creates the profile and enables you to configure executors.
. Click *Add executor* to configure an executor for this profile.
+
.Create a profile executor
image:images/create-oidc-client-secret-rotation-executor.png[Client Profile Executor]

. Select _secret-rotation_ for *Executor Type*.

. Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*.

. Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*.
+
WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*.
. Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*.

. Click *Add*.
+
====
In the example above:

* Each secret is valid for one week.
* The rotated secret expires after two days.
* The window for updating dynamic clients starts one day before the secret expires.
====
+
. Return to the *Client Policies* tab.

. Click *Policies*.

. Click *Create client policy*.
+
.Create the Client Secret Rotation Policy
image:images/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy]

. Enter any name for *Name*.

. Enter a description that helps you identify the purpose of the policy for *Description*.

. Click *Save*.
+
This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution.
+
. Under Conditions, click *Add condition*.
+
.Create the Client Secret Rotation Policy Condition
image:images/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition]

. To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field
+
[NOTE]
====
To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role.
====
+
. Add _confidential_ to the field *Client Access Type*.

. Click *Add*.

. Back in the policy setting, under _Client Profiles_, click *Add client profile* and then select *Weekly Client Secret Rotation Profile* from the list and then click *Add*.
+
.Client Secret Rotation Policy
image:images/oidc-client-secret-rotation-policy.png[Client Rotation Policy]

[NOTE]
====
To apply the secret rotation behavior to an existing client, follow the following steps:

.Using the Admin Console
. Click *Clients* in the menu.
. Click a client.
. Click the *Credentials* tab.
. Click *Re-generate* of the client secret.
====

---

.Using client REST services it can be executed in two ways:
* Through an update operation on a client
* Through the regenerate client secret endpoint
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`[id="proc-secret-rotation_{context}"]`

			`[[_proc-secret-rotation]]`

			`= Creating an OIDC Client Secret Rotation Policy`
			`[role="_abstract"]`

			`The following is an example of defining a secret rotation policy:`

			`.Procedure`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click Realm Settings in the menu.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`. Click Client Policies tab.`

Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. On the Profiles page, click Create client profile.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`+`
			`.Create a profile`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/create-oidc-client-profile.png[Create Client Profile]`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`. Enter any name for Name.`

			`. Enter a description that helps you identify the purpose of the profile for Description.`

			`. Click Save.`
			`+`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`This action creates the profile and enables you to configure executors.`
			`. Click Add executor to configure an executor for this profile.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`+`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`.Create a profile executor`
			`image:images/create-oidc-client-secret-rotation-executor.png[Client Profile Executor]`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`. Select _secret-rotation_ for Executor Type.`

			`. Enter the maximum duration time of each secret, in seconds, for Secret Expiration.`

			`. Enter the maximum duration time of each rotated secret, in seconds, for Rotated Secret Expiration.`
			`+`
			`WARNING: Remember that the Rotated Secret Expiration value must always be less than Secret Expiration.`
			`. Enter the amount of time, in seconds, after which any update action will update the client for Remain Expiration Time.`

Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click Add.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`+`
			`====`
			`In the example above:`

			`* Each secret is valid for one week.`
			`* The rotated secret expires after two days.`
			`* The window for updating dynamic clients starts one day before the secret expires.`
			`====`
			`+`
			`. Return to the Client Policies tab.`

			`. Click Policies.`

Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click Create client policy.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`+`
			`.Create the Client Secret Rotation Policy`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy]`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`. Enter any name for Name.`

			`. Enter a description that helps you identify the purpose of the policy for Description.`

			`. Click Save.`
			`+`
			`This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution.`
			`+`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Under Conditions, click Add condition.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`+`
			`.Create the Client Secret Rotation Policy Condition`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition]`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`. To apply the behavior to all confidential clients select _client-access-type_ in the Condition Type field`
			`+`
			`[NOTE]`
			`====`
			`To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the Condition Type field. In this way, you could create specific roles and assign a custom rotation configuration to each role.`
			`====`
			`+`
			`. Add _confidential_ to the field Client Access Type.`

Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click Add.`

			`. Back in the policy setting, under _Client Profiles_, click Add client profile and then select Weekly Client Secret Rotation Profile from the list and then click Add.`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`+`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`.Client Secret Rotation Policy`
Preparing Server Admin Guide for RHBK (#1690) Closes #1688 2022-10-05 18:43:15 +00:00			`image:images/oidc-client-secret-rotation-policy.png[Client Rotation Policy]`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`[NOTE]`
			`====`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`To apply the secret rotation behavior to an existing client, follow the following steps:`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00
			`.Using the Admin Console`
Updating Server Admin Guide for new Admin Console (#1626) Closes #1575 2022-07-26 15:50:24 +00:00			`. Click Clients in the menu.`
			`. Click a client.`
			`. Click the Credentials tab.`
			`. Click Re-generate of the client secret.`
Add images and new adoc files about client secret rotation (#1449) Closes #10610 2022-04-19 11:59:25 +00:00			`====`

			`---`

			`.Using client REST services it can be executed in two ways:`
			`* Through an update operation on a client`
			`* Through the regenerate client secret endpoint`