Okta - Client secret rotation and key management - Use a URL to fetch keys dynamically option

danoroian-perficient · October 10, 2024, 5:10am

Hi, we are currently in analysis to implement client secret rotation for an okta application service.

According to this guide we are exploring the Use a URL to fetch keys dynamically option:

However there doesn`t seem to be any info about any possible authentication mechanism or ways for us to secure this endpoint that will get the public keys. Are there any possible ways to add some security around it ?

Thanks

nikitag · October 15, 2024, 7:57am

Hi there, Okta’s Keys endpoint https:/{yourOktaDomain}/oauth2/v1/keys is a public metadata endpoint and has only public keys which are not considered a security issue while sharing.
If you have specific security questions, let us know.

system · November 14, 2024, 7:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Rotate JWKS public/private keypair on Service App Questions java	4	3231	August 26, 2021
How to rotate public/private key pair using client credentials grant flow? Questions	14	5217	January 22, 2021
Regarding Client Authentication OIN Submissions	2	50	November 7, 2024
Is it possible to get a client id/secret for every user instead of app OAuth/OIDC	2	3125	December 11, 2022
How do you rotate a client secret using the Java SDK? OAuth/OIDC java	0	11	January 7, 2025

Okta - Client secret rotation and key management - Use a URL to fetch keys dynamically option

Related topics