[id="proc-secret-rotation_{context}"] [[_proc-secret-rotation]] = Creating an OIDC Client Secret Rotation Policy [role="_abstract"] The following is an example of defining a secret rotation policy: .Procedure . Click *Realm Settings* in the menu. . Click *Client Policies* tab. . On the *Profiles* page, click *Create client profile*. + .Create a profile image:images/create-oidc-client-profile.png[Create Client Profile] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the profile for *Description*. . Click *Save*. + This action creates the profile and enables you to configure executors. . Click *Add executor* to configure an executor for this profile. + .Create a profile executor image:images/create-oidc-client-secret-rotation-executor.png[Client Profile Executor] . Select _secret-rotation_ for *Executor Type*. . Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*. . Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*. + WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*. . Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*. . Click *Add*. + ==== In the example above: * Each secret is valid for one week. * The rotated secret expires after two days. * The window for updating dynamic clients starts one day before the secret expires. ==== + . Return to the *Client Policies* tab. . Click *Policies*. . Click *Create client policy*. + .Create the Client Secret Rotation Policy image:images/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the policy for *Description*. . Click *Save*. + This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution. + . Under Conditions, click *Add condition*. + .Create the Client Secret Rotation Policy Condition image:images/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition] . To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field + [NOTE] ==== To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role. ==== + . Add _confidential_ to the field *Client Access Type*. . Click *Add*. . Back in the policy setting, under _Client Profiles_, click *Add client profile* and then select *Weekly Client Secret Rotation Profile* from the list and then click *Add*. + .Client Secret Rotation Policy image:images/oidc-client-secret-rotation-policy.png[Client Rotation Policy] [NOTE] ==== To apply the secret rotation behavior to an existing client, follow the following steps: .Using the Admin Console . Click *Clients* in the menu. . Click a client. . Click the *Credentials* tab. . Click *Re-generate* of the client secret. ==== --- .Using client REST services it can be executed in two ways: * Through an update operation on a client * Through the regenerate client secret endpoint