Manage secrets and keys for OIDC apps

Secrets and keys management for OIDC apps allows you to safely and efficiently manage client authentication methods. With these settings, you can do the following:

  • Choose between client secret and public key / private key pair, and quickly generate them directly from the Admin Console. This eliminates the need to use APIs or third-party websites to generate public and private keys.
  • Specify URI for public keys in the Admin Console so Okta can automatically fetch the updated public key. This eliminates the need to manually update the public key in the Admin Console when you’re rotating the key pair.
  • Generate two client secrets simultaneously to safely rotate them without any application downtime. You can generate up to two client secrets for an app. They are listed under the Client Secrets section. From this section, you can view, copy, deactivate and delete a client secret.
  • Switch between client secret and public key / private key authentication methods.

You can also do these tasks using the Okta API. See Client Secret Rotation.

Before you begin

Review other settings for configuring an OIDC app. See Create OIDC app integrations using AIW.

Start this procedure

With OAuth secrets and keys management, you can do the following tasks:

Generate public key / private key pair from the Admin Console

  1. Go to the OIDC app > General tab > Client Credentials > Edit.

  2. In Client Authentication, select Public Key / Private Key. The Add Key button appears.

  3. Click Add Key. The Add a Public Key pop-up window opens.

  4. In this window, click Generate New Key. This generates a public key and a private key.

  5. Copy the private key to a secure location for future reference. You can copy the private key in either JSON or PEM format. Private key is only displayed once at the time of generation. Okta doesn’t store the private key.

  6. Click Done. You are redirected back to the General tab.

  7. On the tab, click Save.

Your public key is listed on the General tab. You can click the key to see it in the JSON format.

Add your public key from the Admin Console

  1. Go to the OIDC app > General tab > Client Credentials > Edit.

  2. In Client Authentication, select Public Key / Private Key. The Add Key button appears.

  3. Click Add Key. The Add a Public Key pop-up window opens.

  4. In this window, paste your public key in the JSON format.

  5. Click Done. You are redirected back to the General tab.

  6. On the tab, click Save.

Your public key is listed on the General tab. You can click the key to see it in the JSON format.

Add a second key pair from the Admin Console

  1. Go to the OIDC app > General tab > Public Keys > Add. The Add a Public Key pop-up window opens.

  2. In this window, paste your public key in the JSON format. Or, click Generate New Key to generate a new pair of public key and a private key. Copy the private key to a secure location for future reference. Private key is only displayed once at the time of generation. Okta doesn’t store the private key.

  3. Click Save.

A new public key is listed on the General tab. You can click the key to see it in the JSON format.

Automatically update public key by specifying URI

You can configure private_key_jwt client authentication for OIDC apps by specifying the URI where you store your public keys in the Admin Console. This eliminates the need to manually update the public key in Okta every time you rotate the key pairs. Using the URI specified in the Admin Console, Okta dynamically fetches the latest public key for the app.

  1. Go to the OIDC app > General tab > Client Credentials > Edit.

  2. In Client Authentication, select Public Key / Private Key.

  3. In Public Keys > Configuration, select Use a URL to fetch keys dynamically.

  4. Provide the URI where your public key is stored.

  5. Click Save.

Rotate a client secret by creating second client secret

If you’re using a client secret for authentication, you can generate a second secret to use for rotation.

  1. Go to the OIDC app > General tab > Client Credentials > Edit.

  2. In Client Secrets, click the Generate new secret button. A new secret is generated and appears under the Client Secret list. Both secrets are active by default.

  3. Click Save.

  4. Use the newly generated secret to update the servers.

  5. Back in the Admin Console, set the status for the old secret to Inactive. You can also delete an inactive secret.

Change client authentication methods

You can switch between client secret and public key / private key.

  • If you switch from public key / private key to client secret, the key pairs for the app are deleted.
  • However, if you switch from client secret to public key / private key, all client secrets for the app are deleted.
  • If you switch from saving public keys at Okta to fetching them from a URL, the public keys stored in Okta are deleted.