We need to be able to occasionally rotate client secrets. Supporting only one client secret at a time means there's the potential for downtime for authentication services between when the IdP updates the secret and when this plugin receives a new secret. Therefore, it would be nice to be able to have a list of possible client secrets that we try in order, falling back as needed.
Describe the Solution You Would Like
The config endpoint should take an additional optional client_secrets parameter that contains an ordered list of secrets to try. If client_secret is specified, it would be prepended to the such a list.
Use Case
We need to be able to occasionally rotate client secrets. Supporting only one client secret at a time means there's the potential for downtime for authentication services between when the IdP updates the secret and when this plugin receives a new secret. Therefore, it would be nice to be able to have a list of possible client secrets that we try in order, falling back as needed.
Describe the Solution You Would Like
The
configendpoint should take an additional optionalclient_secretsparameter that contains an ordered list of secrets to try. Ifclient_secretis specified, it would be prepended to the such a list.Additional Context
See, e.g., https://community.auth0.com/t/rotate-secret-without-downtime/11342.