Manage secrets and keys for OIDC apps

Secrets and keys management for OIDC apps allows you to safely and efficiently manage client authentication methods. With these settings, you can do the following:

  • Choose between a client secret and public key/private key pair, and quickly generate them directly from the Admin Console. This eliminates the need to use APIs or third-party websites to generate public and private keys.
  • Specify a URL for public keys in the Admin Console so Okta can automatically fetch the updated public key. This eliminates the need to manually update the public key in the Admin Console when you're rotating the key pair.
  • Generate two client secrets simultaneously to safely rotate them without any app downtime. You can generate up to two client secrets for an app.
  • Switch between client secret and public key/private key authentication methods.

You can also do these tasks using the Okta API. See Client Secret Rotation.

Before you begin

Review other settings for configuring an OIDC app. See Create OpenID Connect app integrations.

Start this procedure

With OAuth secrets and keys management, you can do the following tasks:

Generate a public/private key pair from the Admin Console

  1. Go to the OIDC app.
  2. Click the General tab.
  3. In the Client Credentials section, click Edit.
  4. In Client Authentication, select Public Key / Private Key. The Add Key button appears.
  5. Click Add Key. The Add a Public Key pop-up window opens.
  6. Click Generate New Key. This generates a public key and a private key.
  7. Copy the private key to a secure location for future reference. Copy the private key in either JSON or PEM format. The private key only appears once at the time of generation. Okta doesn't store the private key.
  8. Click Done.
  9. On the General tab, click Save.

Your public key appears on the General tab. Click the key to see it in JSON format.

Add your public key from the Admin Console

  1. Go to the OIDC app.
  2. Click the General tab.
  3. In the Client Credentials section, click Edit.
  4. In Client Authentication, select Public Key / Private Key. The Add Key button appears.
  5. Click Add Key. The Add a Public Key pop-up window opens.
  6. In this window, paste your public key in the JSON format.
  7. Click Done.
  8. On the General tab, click Save.

Your public key appears on the General tab. Click the key to see it in the JSON format.

Add a second key pair from the Admin Console

  1. Go to the OIDC app.
  2. Click the General tab.
  3. In the Client Credentials section, click Edit.
  4. In Client Authentication, select Public Key / Private Key. The Add Key button appears.
  5. Click Add Key. The Add a Public Key pop-up window opens.
  6. In this window, paste your public key in the JSON format. Or, click Generate New Key to generate a new public and private key pair.
  7. Copy the private key to a secure location for future reference. Copy the private key in either JSON or PEM format. The private key only appears once at the time of generation. Okta doesn't store the private key.
  8. Click Done.
  9. On the General tab, click Save.

Your public key appears on the General tab. Click the key to see it in the JSON format.

Automatically update a public key from a URL

You can configure private_key_jwt client authentication for OIDC apps by specifying the URL where you store your public keys in the Admin Console. This eliminates the need to manually update the public key in Okta every time you rotate the key pairs. Okta dynamically fetches the latest public key for the app from this URL.

  1. Go to the OIDC app.
  2. Click the General tab.
  3. In the Client Credentials section, click Edit.
  4. In Client Authentication, select Public Key / Private Key.
  5. Select Use a URL to fetch keys dynamically.
  6. In the Url field, enter the URL where your public key is stored.
  7. Click Save.

Rotate a client secret by creating a second client secret

If you're using a client secret for authentication, you can generate a second secret to use for rotation.

  1. Go to the OIDC app.
  2. Click the General tab.
  3. In Client Secrets, click Generate new secret. A new secret is generated and appears in the Client Secret list. Both secrets are active by default.
  4. Click the clipboard icon. Update your servers with the newly generated secret.
  5. Back in the Admin Console, set the status for the old secret to Inactive. You can also delete an inactive secret.

Change client authentication methods

You can switch between client secret and a public key/private key.

  • If you switch from public key/private key to client secret, the key pairs for the app are deleted.
  • If you switch from client secret to public key/private key, all client secrets for the app are deleted.
  • If you switch from saving public keys at Okta to fetching them from a URL, the public keys stored in Okta are deleted.