Hi Farasath, In that case, we have to create a new application if some one wants to reset the consumer key. That will not be a good experience to the user and specification also not specifically saying that only we should revoke consumer key or both.
An authorization server may revoke a client's secret in order to prevent abuse of a revealed secret. Note: This measure will immediately invalidate any authorization "code" or refresh token issued to the respective client. This might unintentionally impact client identifiers and secrets used across multiple deployments of a particular native or web application. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Fri, Jun 3, 2016 at 11:11 AM, Farasath Ahamed <[email protected]> wrote: > Hi Indunil, > > In a case of client_secret being revealed wouldn't it be sufficient only > to regenerate the client_key without regenerating the consumer key? In > Google API console I have noticed that you only have the option to reset > the client secret of an OAuth application. If you want to regenerate both > client_id and client_secret you simply delete the app and create a new one. > > > Thanks, > Farasath Ahamed > Software Engineer, > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > > > Email: [email protected] > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > > On Fri, Jun 3, 2016 at 10:21 AM, Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> I am working on [1] for implementing regeneration of client secret/key of >> an oauth app and revocation of an oauth app for the next milestone release >> of Identity Server. Appreciate your feedbacks on the following approaches I >> have taken. >> >> A trusted client would need to update the client secret/key, in order to >> prevent the abuse of revealed client secret/key. So for addressing that, I >> am working on adding two options as *Regenerate Client Secret* and >> *Regenerate >> Consumer Key* for oauth applications in IS. After a client secret/key >> get regenerated, that will immediately invalidate any active authorization >> code, access token or refresh token, issued to the respective client. >> >> >> >> *Will it be necessary to add two options for revoking client secret and >> key or better to go for a different approach?* >> And apart from that planning for the implementation of *Revoking an >> oauth app*. In there the oauth app will be revoked and that also will >> immediately invalidate any active authorization code, access token or >> refresh token, issued to the respective client. In order to activate the >> oauth app again, need to regenerate the client secret. >> >> >> *In there to activate the app, better to regenerate "both client key and >> secret" or "either client key or secret"?* >> >> Really value your ideas/suggestions on improving this feature. >> >> [1] https://redmine.wso2.com/issues/2135 >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Software Engineer | WSO2 Inc >> Email [email protected] >> > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
