Hi Indunil, What are the guidelines given by the OAuth 2.0 specification regarding the $subject?. As stated by @Farzath, i think even Twitter does the same thing.
Thanks, Kasun. On Fri, Jun 3, 2016 at 11:11 AM, Farasath Ahamed <[email protected]> wrote: > Hi Indunil, > > In a case of client_secret being revealed wouldn't it be sufficient only > to regenerate the client_key without regenerating the consumer key? In > Google API console I have noticed that you only have the option to reset > the client secret of an OAuth application. If you want to regenerate both > client_id and client_secret you simply delete the app and create a new one. > > > Thanks, > Farasath Ahamed > Software Engineer, > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > > Email: [email protected] > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > > On Fri, Jun 3, 2016 at 10:21 AM, Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> I am working on [1] for implementing regeneration of client secret/key of >> an oauth app and revocation of an oauth app for the next milestone release >> of Identity Server. Appreciate your feedbacks on the following approaches I >> have taken. >> >> A trusted client would need to update the client secret/key, in order to >> prevent the abuse of revealed client secret/key. So for addressing that, I >> am working on adding two options as *Regenerate Client Secret* and >> *Regenerate >> Consumer Key* for oauth applications in IS. After a client secret/key >> get regenerated, that will immediately invalidate any active authorization >> code, access token or refresh token, issued to the respective client. >> >> >> >> *Will it be necessary to add two options for revoking client secret and >> key or better to go for a different approach?* >> And apart from that planning for the implementation of *Revoking an >> oauth app*. In there the oauth app will be revoked and that also will >> immediately invalidate any active authorization code, access token or >> refresh token, issued to the respective client. In order to activate the >> oauth app again, need to regenerate the client secret. >> >> >> *In there to activate the app, better to regenerate "both client key and >> secret" or "either client key or secret"?* >> >> Really value your ideas/suggestions on improving this feature. >> >> [1] https://redmine.wso2.com/issues/2135 >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email [email protected] >> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Kasun Bandara *Software Engineer* Mobile : +94 (0) 718 338 360 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
