Idea ID: 2875132

NAM IDP should provide two OAuth signing certificates to support a certificate rollover without invalidating active refresh tokens

Thomas Reibenwein Thomas Reibenwein
Status : New Idea

Some OAuth clients are using refresh tokens that are valid for a long period (e.g.up to 90 days).

Currently the change of the signing certificate requires users of these applications to re-authenticate on the IDP the next time thy hit the application - even if their refresh token is only a few days old. This causes load on the systems and user confusion.

It is because the validation of refresh (and access) tokens fails after changing the signing certificate. This current behavior was confirmed by case 02503042.

To support a certificate rollover without invalidating active OAuth refresh tokens, NAM IDP should support two OAuth signing certificates in parallel for a period of time like:

  • after adding a new signing certificate all new tokens are generated using this new signing certificate,
  • but existing refresh tokens are also checked against the old/previous signing certificate in addition to the new/current signing certificate

best regards,
Thomas

Resources

Support
Documentation
Learning Services
CyberRes Academy
Partner Programs
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Conduct
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.