Hi Indunil, In a case of client_secret being revealed wouldn't it be sufficient only to regenerate the client_key without regenerating the consumer key? In Google API console I have noticed that you only have the option to reset the client secret of an OAuth application. If you want to regenerate both client_id and client_secret you simply delete the app and create a new one.
Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com lean.enterprise.middleware Email: [email protected] Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> On Fri, Jun 3, 2016 at 10:21 AM, Indunil Upeksha Rathnayake < [email protected]> wrote: > Hi, > I am working on [1] for implementing regeneration of client secret/key of > an oauth app and revocation of an oauth app for the next milestone release > of Identity Server. Appreciate your feedbacks on the following approaches I > have taken. > > A trusted client would need to update the client secret/key, in order to > prevent the abuse of revealed client secret/key. So for addressing that, I > am working on adding two options as *Regenerate Client Secret* and *Regenerate > Consumer Key* for oauth applications in IS. After a client secret/key get > regenerated, that will immediately invalidate any active authorization > code, access token or refresh token, issued to the respective client. > > > > *Will it be necessary to add two options for revoking client secret and > key or better to go for a different approach?* > And apart from that planning for the implementation of *Revoking an oauth > app*. In there the oauth app will be revoked and that also will > immediately invalidate any active authorization code, access token or > refresh token, issued to the respective client. In order to activate the > oauth app again, need to regenerate the client secret. > > > *In there to activate the app, better to regenerate "both client key and > secret" or "either client key or secret"?* > > Really value your ideas/suggestions on improving this feature. > > [1] https://redmine.wso2.com/issues/2135 > > Thanks and Regards > -- > Indunil Upeksha Rathnayake > Software Engineer | WSO2 Inc > Email [email protected] >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
