managing oAuth client secret expiry

stevemac · ‎11-13-2023

Hi,

We have a few integrations where the oAuth client secret needs to be changed on a regular basis (e.g. some every 6 months, another is every 12 months). There does not appear to be a ServiceNow provided method to manage this

Is anyone aware of ServiceNow functionality to do this?

In absence of an OoTB solution, I was thinking of the following

custom fields on the oauth_entity table
- Client Secret Expiry behaviour [choice: None, Expires]
- Client Secret duration [Integer]
- Client Secret expiry date [date field, calculated when client secret changes]
- Notify on Expiration [Glidelist on sys_user]
- Warn in days to expire [integer]
Notifications triggered
- when current date = client secret expiry date less Warn in days to expire value
- when current date = client secret expiry date less 2 days
- when current date = client security expiry date plus one day

any thoughts?

thanks,

Steve

Anil9866 · 3 weeks ago

Hi @stevemacas you mentioned at the beginning of your post, there is no out-of-the-box mechanism in ServiceNow to manage client secret rotation. However, your suggested approach of notifying stakeholders or application owners about client secret expiration works well.
My recommendation is this: since the client secret is stored in the password2 field, you can create a scheduled job that runs against Application Registry records. The job can check whether the client secret expiry date is today (or has already passed). If a secret is due to expire, the scheduled job can automatically generate a strong random password and update the client secret field accordingly.
Note: Client secrets that are created or generated within ServiceNow typically do not expire by default. You can refer to the expert discussion here for more details:
Do Client Secret expires, if created and configured for Inbound integration in Application Registry