Layer7 API Management

  • Private Community
 View Only

  • 1.  When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

    Posted Apr 18, 2016 10:58 AM

    Hello, Currently we are using OAuth 2.0 for authentication in the API Gateway. We are assigning custom Client_IDs/Client_key unique to every single client we provision for using our services through OAuth 2.0. These clients are given a client_secret along with the client_ID. While we don't want to set any lifetime for the client_ID, the business requires that we expire the client_secret alone over a period of 6 months and issue the client with a new secret. Here we do not want to expire or change the client_ID/key. Can this be accomplished through the OTK? Is there a possibility that only the client_secret expires every 6 months and we set a new secret for the same ID? (Assuming that we don't use the out of the box OAuth manager but use our custom provisioning tool which makes REST calls to the OAuth policies similar to the OAuth manager to insert data into the OTK DB). Thanks!



  • 2.  Re: When using OAuth 2.0 can we configure lifetime for Client_Secret alone?
    Best Answer

    Broadcom Employee
    Posted Apr 18, 2016 07:00 PM

    No, you cannot configure the client secret to expire only and set a new secret for the same client ID.  The client ID and client secret are a pair. While you can configure the client ID to expire, expiration of the client secret is not configurable.

    See: Configure Token Lifetime Properties - CA API Management OAuth Toolkit - 3.3 - CA Technologies Documentation



  • 3.  Re: When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

    Posted Apr 19, 2016 10:10 AM

    Thanks for clarifying. Since Client_ID and Client_secret act as "username-password" credentials when a system is requesting access to the resource on its own behalf, the security team feels that the secret must be treated as a password. If there's an option to expire the password, it would be good right?



  • 4.  Re: When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

    Broadcom Employee
    Posted Apr 19, 2016 03:15 PM

    Actually, yes an option to expire the client secret independent of the the client id would be good.

    Now, I talked more about this to my colleague Sascha who is the OAuth 2.0 expert around here. (saspr02 ).

    Although expiration of the client secret is not configurable through the OTK, he tells me you could manually change the client_secret and assign it to the same client ID. So I believe there is hope. See, even "correct answers" can expire. ;-)



  • 5.  Re: When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

    Posted Apr 21, 2016 10:40 AM

    Haha...You're right. As per RFC 6819 for OAuth 2.0 threat model, There is a section where the client secret can be abused. The countermeasure provided includes revoking the client secret alone and assigning a new secret. As per this document, there must be a way to revoke client secret alone and there must be an option to configure lifetime of a secret as a preventive measure. Although I can just go ahead and execute an "Update DB Query" against the "oauth_client_key" table which will allow me to manually change the secret, we need a way to configure this lifetime out of the box since this method will not allow me to expire the secret but instead only update it when needed. I will submit an idea for the same and you can vote for it if you agree. Thanks :)



  • 6.  Re: When using OAuth 2.0 can we configure lifetime for Client_Secret alone?

    Posted Apr 21, 2016 10:57 AM

    I have created an Idea on this. Please vote on it if you feel it's a good option to have it included in the OTK. https://communities.ca.com/ideas/235730820