/{customer_id}/config/clients/{client_id}/secret

Resets the client secret for an OpenID Connect (OIDC) confidential client or a configuration client. This endpoint provides a way to periodically rotate client secrets or to change a client secret you believe might have been compromised. The /secret endpoint is also your only recourse if you have forgotten the secret associated with an OIDC client: there is currently no way to retrieve a secret after the client has been created. Instead, the secret is displayed once (as part of the API response generated when the client is created) and cannot be retrieved after that.

Note that, when you change a client secret, the change takes effect immediately: there is no grace period in which both the old secret and the new secret are valid.

Authentication

This endpoint requires Basic authentication. When configuring authentication, you must use the client ID of a confidential OpenID Connect (OIDC) client as your username and the client secret of that same OIDC client as your password.

Methods

This endpoint includes the following methods:

  • POST
POST

Description

Resets the client secret for an OpenID Connect (OIDC) confidential client or configuration client.

Path Parameters

Path parameters that must be included in the request are listed in the following table:

Path Parameters
Parameter Type Required Required

{customer_id}

string

Yes

Unique identifier of the customer associated with the OIDC client.

{client_id}

string

Yes

Unique identifier of the OIDC client whose secret is being reset.

Sample Request (Curl)

The following command resets the client secret for the confidential client af4f70a3-0364-4505-94c4-8d26df86e161:

curl -X POST \
 https://v1.api.us.janrain.com/01000000-0000-3000-9000-000000000000/config/clients/af4f70a3-0364-4505-94c4-8d26df86e161/secret \
  -H 'Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg='

Responses

201 Created

If your call to this endpoint succeeds, you'll get back the new client secret:

{
    "secret": "7iv-pLUhFXOta3nN3aqIkOtEh0H_WRel9fMUdE3JWgp9HVw4idRz9q5N3ZTCzFXmBvEEk79G6232U0utf5SKdA"
}

Be sure and copy this secret and store it in a secure location: there is no way to retrieve a client secret after it’s been created. You can use an API call to return all the other properties of a confidential client; however. the client secret is not included in that property set.

Response Codes

The following table includes information about some of the response codes that you might encounter when calling this endpoint.

Response Codes

400

Bad request: Not a confidential client. You tried to reset the secret for a public OIDC client: public clients do not have client secrets.

401

Authentication required or Invalid credentials. You either did not specify an authentication method for the call (this endpoint requires Basic authentication) or the supplied client ID/client secret was incorrect.

403

Forbidden. You do not have permission to access the requested resource.