AnsweredAssumed Answered

When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

Question asked by on Apr 18, 2016
Latest reply on Apr 21, 2016 by

Hello, Currently we are using OAuth 2.0 for authentication in the API Gateway. We are assigning custom Client_IDs/Client_key unique to every single client we provision for using our services through OAuth 2.0. These clients are given a client_secret along with the client_ID. While we don't want to set any lifetime for the client_ID, the business requires that we expire the client_secret alone over a period of 6 months and issue the client with a new secret. Here we do not want to expire or change the client_ID/key. Can this be accomplished through the OTK? Is there a possibility that only the client_secret expires every 6 months and we set a new secret for the same ID? (Assuming that we don't use the out of the box OAuth manager but use our custom provisioning tool which makes REST calls to the OAuth policies similar to the OAuth manager to insert data into the OTK DB). Thanks!