- OAuth service user passwords should be rotated frequently, e.g. every two hours.
- OAuth client credentials (client ID and secret for confidential clients) might be rotated every month.
The Provider allows rotating both user and client credentials via its
/raw-sync/ REST API.
To rotate an application’s user credentials, do:
- Add a new password by sending a POST request to
- Distribute the new password (e.g. via a S3 Mint Bucket).
- Wait at least 10 minutes to give the application time to pick up the new password. Both old and new password will be active during this grace period.
- Commit the new password by overwriting the user’s passwords via a PATCH request to
OAuth client credentials can be rotated by creating a new client and deactivating or deleting the old one:
- Create a new client by sending a PUT request to
- Distribute the new client credentials (e.g. via a S3 Mint Bucket).
- Wait at least 10 minutes to give the application time to pick up the new client credentials. Both old and new client will be active during this grace period.
- Reset the old client’s secret to some random string or delete the old client completely.
Example REST call to create a new client in the
/services realm using HTTPie:
$ SECRET_HASH=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b'test', bcrypt.gensalt(4)).decode('ascii'))") $ TOK='mytoken' # valid OAuth token $ http PUT https://planb-provider.example.org/raw-sync/clients/services/myclient-123 \ is_confidential:=true \ name='Example Client'\ secret_hash=$SECRET_HASH \ "Authorization:Bearer $TOK"