Hi, I am working on [1] for implementing regeneration of client secret/key of an oauth app and revocation of an oauth app for the next milestone release of Identity Server. Appreciate your feedbacks on the following approaches I have taken.
A trusted client would need to update the client secret/key, in order to prevent the abuse of revealed client secret/key. So for addressing that, I am working on adding two options as *Regenerate Client Secret* and *Regenerate Consumer Key* for oauth applications in IS. After a client secret/key get regenerated, that will immediately invalidate any active authorization code, access token or refresh token, issued to the respective client. *Will it be necessary to add two options for revoking client secret and key or better to go for a different approach?* And apart from that planning for the implementation of *Revoking an oauth app*. In there the oauth app will be revoked and that also will immediately invalidate any active authorization code, access token or refresh token, issued to the respective client. In order to activate the oauth app again, need to regenerate the client secret. *In there to activate the app, better to regenerate "both client key and secret" or "either client key or secret"?* Really value your ideas/suggestions on improving this feature. [1] https://redmine.wso2.com/issues/2135 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
