| ▲ | OptionOfT 3 days ago | |
This has been our issue too. We've had mandates for rotating OAuth secrets (client ID & client secret). Except there are no APIs to rotate those. The infrastructure doesn't exist yet. And refreshing those automatically does not validate ownership, unlike certificates where you can do a DNS check or an HTTP check. Microsoft has some technology that next to these tokens they also have a per-machine certificate that is used to sign requests, and those certificates can't leave the machine. | ||
| ▲ | parliament32 3 days ago | parent [-] | |
We've also felt the pain for OAuth secrets. Current mandates for us are 6 months. Because we run on Azure / AKS, switching to federated credentials ("workload identities") with the app registrations made most of the pain go away because MS manages all the rotations (3 months) etc. If you're on managed AKS the OIDC issuer side is also automagic. And it's free. I think GCP offers something similar. https://learn.microsoft.com/en-us/entra/workload-id/workload... | ||