/{customerId}/config/clients/{oidcClientId}/secret

Manages client secrets for OpenID Connect (OIDC) confidential and configuration clients.  The GET method provides a way to return the secret for an OIDC client, while the PUT method enables you to reset a client secret . Resetting the secret lets periodically rotate client secrets or to change a client secret you believe might have been compromised.

Note that, when you change a client secret, the change takes effect immediately: there is no grace period in which both the old secret and the new secret are valid.


Authentication

This endpoint requires token-based authentication. To obtain an access token, you must use a configuration client (using the client ID as the username and the client secret as the password) to access the /{customerId}/login/token endpoint. The access token returned from the /{customerId}/login/token endpoint is then used in the Authorization header of your API call.

For example, if you get back the access token Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB then your Authorization header would look like this when using Curl:

-H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'

In Postman, set the Authorization Type to Bearer and use the access token as the value of the Token field.


Methods

This endpoint includes the following methods:

  • GET
  • POST
 

GET

Description

Returns the client secret for the specified OIDC client. Note that this is the only way to return the secret for a confidential or configuration client: the /{customerId}/config/clients/{oidcClientId} endpoint returns detailed information about an OIDC client, but does not return the client secret.

Path Parameters

Path parameters that must be included in the request are listed in the following table:

Parameter Type Required Required

{customerId}

string

Yes

Unique identifier of the customer associated with the OIDC client. 

{oidcClientId}

string

Yes

Unique identifier of the OIDC client whose secret is being retrieved.


Sample Request (Curl)

The following command returns the client secret for the confidential client 6be73a3a-5bf0-4190-a0de-698aa409ff28:

curl -X GET \
  https://v1.api.us.janrain.com/01000000-0000-3000-9000-000000000000/config/clients/6be73a3a-5bf0-4190-a0de-698aa409ff28/secret \
  -H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'


Responses

200 OK

If your call to this endpoint succeeds, you'll get back the new client secret:

{
    "secret": "7iv-pLUhFXOta3nN3aqIkOtEh0H_WRel9h65qE3JWgp9HVw4idRz9q5N3ZTCzFXmBvEEk79G6232U0utf5SKdA"
}


POST

Description

Resets the client secret for an OpenID Connect (OIDC) confidential client or configuration client. 


Path Parameters

Path parameters that must be included in the request are listed in the following table:

Parameter Type Required Required

{customerId}

string

Yes

Unique identifier of the customer associated with the OIDC client. 

{oidcClientId}

string

Yes

Unique identifier of the OIDC client whose secret is being reset.


Sample Request (Curl)

The following command resets the client secret for the confidential client af4f70a3-0364-4505-94c4-8d26df86e161:

curl -X POST \
 https://v1.api.us.janrain.com/01000000-0000-3000-9000-000000000000/config/clients/af4f70a3-0364-4505-94c4-8d26df86e161/secret \
  -H 'Authorization: Basic c2dueXZ1czZwYzRqbTdraHIybmVxNWdzODlnYnIyZXE6d3Q0YzN1bjl3a2tjZnZ5a25xeDQ0eW5jNDc2YWZzNjg='


Responses

201 Created

If your call to this endpoint succeeds, you'll get back the new client secret:

{
    "secret": "7iv-pLUhFXOta3nN3aqIkOtEh0H_WRel9fMUdE3JWgp9HVw4idRz9q5N3ZTCzFXmBvEEk79G6232U0utf5SKdA"
}


Response Codes

The following table includes information about some of the response codes that you might encounter when calling this endpoint.

Response Code Description

400

Bad request: Not a confidential client. You tried to reset the secret for a public OIDC client: public clients do not have client secrets. 

401

Authentication required or Invalid credentials. You either did not specify an authentication method for the call (this endpoint requires Basic authentication) or the supplied client ID/client secret was incorrect.

403

Forbidden. You do not have permission to access the requested resource.