Client Credentials Expiration and Overlap

Hello Okta gurus,

What are the best practices to rotate client credentials (grant_type=client_credentials) on periodic basis but still have overlapping capability to avoid hard co-ordination between teams which are geographically distributed?

e.g. can we have 90 days client creds rotation policy but still have 7 days overlapping with old creds?


Hi @Shailesh_Joshi

Due to security reasons, we don’t offer this capability to overlap the old credentials with the new ones. The best solution would be to have a daily cURL request to check if the credentials have been rotated and, if yes, gather the new credentials, unless the application requests the /keys endpoint every time before checking the signature.

1 Like

Thanks dragos - when we normally rotate the creds, do both client id and secret key get rotated or just the secret?

Hi @Shailesh_Joshi

By rotation, we update the signing keys for verifying JWT tokens locally, not the client ID and client secret. You can find more details about this process here.

Hi @dragos ,
There are some way to detect that the credentials was rotated? Because even if we refresh the keys daily probably there are some period of time where the server is signed with the new key and the validation is happend with the previous key.
What should be the best approach to update the keys without the scenario that I mentioned?