[id="proc-secret-rotation_{context}"] [[_proc-secret-rotation]] = Creating an OIDC Client Secret Rotation Policy [role="_abstract"] The following is an example of defining a secret rotation policy: .Procedure . Click *Realm Settings* in the left menu. . Click *Client Policies* tab. . On Profiles Page, Click *Create* + .Create a profile image:images/create-oidc-client-profile.png[Create Client Profile] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the profile for *Description*. . Click *Save*. + This action creates the profile and enables you to configure executors. . Click *Create* to configure an executor for this profile. + .Create a profile executors image:images/create-oidc-client-secret-rotation-executor.png[Client Profile Executor] . Select _secret-rotation_ for *Executor Type*. . Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*. . Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*. + WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*. . Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*. . Click *Save*. + [NOTE] ==== In the example above: * Each secret is valid for one week. * The rotated secret expires after two days. * The window for updating dynamic clients starts one day before the secret expires. ==== + . Return to the *Client Policies* tab. . Click *Policies*. . Click *Create*. + .Create the Client Secret Rotation Policy image:images/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the policy for *Description*. . Click *Save*. + This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution. + . Under Conditions, click *Create*. + .Create the Client Secret Rotation Policy Condition image:images/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition] . To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field + [NOTE] ==== To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role. ==== + . Add _confidential_ to the field *Client Access Type*. . Click *Save*. . Back in the policy setting, under _Client Profiles_, in the *Add client profile* selection menu, select the profile *Weekly Client Secret Rotation Profile* created earlier. .Client Secret Rotation Policy image:images/oidc-client-secret-rotation-policy.png[Client Rotation Policy] [NOTE] ==== To apply the secret rotation behavior to an existing client, follow the following steps: .Using the Admin Console . Go to some client. . Go to tab *_Credentials_*. . Click *_Re-generate secret_*. ==== --- .Using client REST services it can be executed in two ways: * Through an update operation on a client * Through the regenerate client secret endpoint