104 lines
3.2 KiB
Text
104 lines
3.2 KiB
Text
[id="proc-secret-rotation_{context}"]
|
|
|
|
[[_proc-secret-rotation]]
|
|
|
|
= Creating an OIDC Client Secret Rotation Policy
|
|
[role="_abstract"]
|
|
|
|
The following is an example of defining a secret rotation policy:
|
|
|
|
.Procedure
|
|
. Click *Realm Settings* in the left menu.
|
|
|
|
. Click *Client Policies* tab.
|
|
|
|
. On Profiles Page, Click *Create*
|
|
+
|
|
.Create a profile
|
|
image:images/create-oidc-client-profile.png[Create Client Profile]
|
|
|
|
. Enter any name for *Name*.
|
|
|
|
. Enter a description that helps you identify the purpose of the profile for *Description*.
|
|
|
|
. Click *Save*.
|
|
+
|
|
This action creates the profile and enables you to configure executors.
|
|
. Click *Create* to configure an executor for this profile.
|
|
+
|
|
.Create a profile executors
|
|
image:images/create-oidc-client-secret-rotation-executor.png[Client Profile Executor]
|
|
|
|
. Select _secret-rotation_ for *Executor Type*.
|
|
|
|
. Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*.
|
|
|
|
. Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*.
|
|
+
|
|
WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*.
|
|
. Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*.
|
|
|
|
. Click *Save*.
|
|
+
|
|
[NOTE]
|
|
====
|
|
In the example above:
|
|
|
|
* Each secret is valid for one week.
|
|
* The rotated secret expires after two days.
|
|
* The window for updating dynamic clients starts one day before the secret expires.
|
|
====
|
|
+
|
|
. Return to the *Client Policies* tab.
|
|
|
|
. Click *Policies*.
|
|
|
|
. Click *Create*.
|
|
+
|
|
.Create the Client Secret Rotation Policy
|
|
image:images/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy]
|
|
|
|
. Enter any name for *Name*.
|
|
|
|
. Enter a description that helps you identify the purpose of the policy for *Description*.
|
|
|
|
. Click *Save*.
|
|
+
|
|
This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution.
|
|
+
|
|
. Under Conditions, click *Create*.
|
|
+
|
|
.Create the Client Secret Rotation Policy Condition
|
|
image:images/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition]
|
|
|
|
. To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field
|
|
+
|
|
[NOTE]
|
|
====
|
|
To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role.
|
|
====
|
|
+
|
|
. Add _confidential_ to the field *Client Access Type*.
|
|
|
|
. Click *Save*.
|
|
|
|
. Back in the policy setting, under _Client Profiles_, in the *Add client profile* selection menu, select the profile *Weekly Client Secret Rotation Profile* created earlier.
|
|
|
|
.Client Secret Rotation Policy
|
|
image:images/oidc-client-secret-rotation-policy.png[Client Rotation Policy]
|
|
|
|
[NOTE]
|
|
====
|
|
To apply the secret rotation behavior to an existing client, follow the following steps:
|
|
|
|
.Using the Admin Console
|
|
. Go to some client.
|
|
. Go to tab *_Credentials_*.
|
|
. Click *_Re-generate secret_*.
|
|
====
|
|
|
|
---
|
|
|
|
.Using client REST services it can be executed in two ways:
|
|
* Through an update operation on a client
|
|
* Through the regenerate client secret endpoint
|