starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🚀 Feature: Set expiration for client secrets #205

New Issue
Closed
opened 2025-10-07 00:05:56 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2025-10-07 00:05:56 +03:00
Owner
Copy Link

Originally created by @ItalyPaleAle on GitHub.

Feature description

Pocket ID should allow setting an expiration for client secrets for OAuth clients, so for example client secrets are valid for 6 months only (it would still be possible to create client secrets that do not expire). As a consequence of this, it should also allow one app to have more than one client secret, which is required to safely rotate credentials in OAuth2 apps without downtime.

Example from MS Entra ID:

Image

Given our audience, Pocket ID could continue to offer non-expiring secrets, but it should come with a security disclaimer.

Pitch

Long-lived secrets (especially shared ones) are considered a bad practice in web app security.

In fact, OWASP lists "secret leakage" as one of the most common non-human identity risks in 2025, and using shorter-lived secrets and rotating them periodically is one of the recommended mitigations. (Full page on secret management from OWASP for more details)

By making secrets automatically expire, we force users to rotate them periodically.

Because of the need to rotate secrets, this also means we will need to support more than 1 client secret per app, so users can first create a new secret, add it to their existing apps, and then delete the old one after.

PS: #361 will offer an alternative to client secrets when supported (and with that PR, it should be possible to have no client secret at all in an app), but it does not work in all environments. Realistically, many users will continue to need to use client secrets

Originally created by @ItalyPaleAle on GitHub. ### Feature description Pocket ID should allow setting an expiration for client secrets for OAuth clients, so for example client secrets are valid for 6 months only (it would still be possible to create client secrets that do not expire). As a consequence of this, it should also allow one app to have more than one client secret, which is required to safely rotate credentials in OAuth2 apps without downtime. Example from MS Entra ID: <img width="980" alt="Image" src="https://github.com/user-attachments/assets/1a6223c0-db01-4479-985d-ab2e624442bf" /> Given our audience, Pocket ID could continue to offer non-expiring secrets, but it should come with a security disclaimer. ### Pitch Long-lived secrets (especially shared ones) are considered a bad practice in web app security. In fact, OWASP lists "secret leakage" as one of the [most common non-human identity risks in 2025](https://owasp.org/www-project-non-human-identities-top-10/2025/2-secret-leakage/), and using shorter-lived secrets and rotating them periodically is one of the recommended mitigations. ([Full page](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#27-secret-lifecycle) on secret management from OWASP for more details) By making secrets automatically expire, we force users to rotate them periodically. Because of the need to rotate secrets, this also means we will need to support more than 1 client secret per app, so users can first create a new secret, add it to their existing apps, and then delete the old one after. PS: #361 will offer an alternative to client secrets when supported (and with that PR, it should be possible to have no client secret at all in an app), but it does not work in all environments. Realistically, many users will continue to need to use client secrets
OVERLORD added the needs more upvotes label 2025-10-07 00:05:56 +03:00
OVERLORD commented 2025-10-07 00:05:58 +03:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub:

Aside from expiring client secrets, what are your thoughts on multiple client secrets, which at least allows rotating them more effectively? And disable the client secret entirely if users just want JWTs for client auth.

Google and GitHub do support multiple secrets for OAuth apps, but indeed not auto-expiring ones as you're saying. (But to be fair, making secrets expire is a relatively low hanging fruit)

@ItalyPaleAle commented on GitHub: Aside from expiring client secrets, what are your thoughts on multiple client secrets, which at least allows rotating them more effectively? And disable the client secret entirely if users just want JWTs for client auth. Google and GitHub do support multiple secrets for OAuth apps, but indeed not auto-expiring ones as you're saying. (But to be fair, making secrets expire is a relatively low hanging fruit)
OVERLORD commented 2025-10-07 00:05:58 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I believe this approach may be overkill for Pocket ID. Pocket ID is primarily designed for non-enterprise users, because there are better alternatives for enterprises.

For our target audience, I doubt that they want that their client secrets expire. Non enterprise users who want to rotate secrets can still do so manually with minimal downtime, which should be acceptable. Additionally, they'll have the option to use JWT private key authentication (once it's ready).

Most major OIDC providers don't implement expiring client secrets. Google, GitHub, and even Authentik (if I'm not mistaken) don't support this feature, or do you know other providers besides Entra ID that support it?

@stonith404 commented on GitHub: I believe this approach may be overkill for Pocket ID. Pocket ID is primarily designed for non-enterprise users, because there are better alternatives for enterprises. For our target audience, I doubt that they want that their client secrets expire. Non enterprise users who want to rotate secrets can still do so manually with minimal downtime, which should be acceptable. Additionally, they'll have the option to use JWT private key authentication (once it's ready). Most major OIDC providers don't implement expiring client secrets. Google, GitHub, and even Authentik (if I'm not mistaken) don't support this feature, or do you know other providers besides Entra ID that support it?
OVERLORD commented 2025-10-07 00:05:58 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

It seems that this isn't really requested based on the upvotes. We might want to consider allowing multiple client secrets, but I would create a new feature request for that and track the upvotes on the issue.

@stonith404 commented on GitHub: It seems that this isn't really requested based on the upvotes. We might want to consider allowing multiple client secrets, but I would create a new feature request for that and track the upvotes on the issue.
OVERLORD commented 2025-10-07 00:05:58 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@stonith404 did we decide aggainst this feature?

@kmendell commented on GitHub: @stonith404 did we decide aggainst this feature?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label needs more upvotes
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#205
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?