-
Type:
Sub-Task
-
Status: Closed
-
Priority:
Minor
-
Resolution: Completed
-
Affects Version/s: None
-
Fix Version/s: 1.0-portal_7.1.0
-
Component/s: None
-
Labels:None
-
Sprint:August_Appliaction Security
Preconditions:
- User is signed in
- At least one OAuth2 application with "client type = Confidential" property exists and user has permission to UPDATE it
- User can display OAuth2 Applications portlet
Events flow:
- User displays OAuth2 Applications
- Portal displays SCR006 List of OAuth2 Applications (
OAUTH2-82) screen - User clicks on "Reset secret" action button in a "Confidential" type row
- Portal shows a confirmation dialog with warning SCR011 Reset Application Secret (
OAUTH2-106) - User approves confirmation box
- Portal resets client secret
Post-conditions:
- Application secret is reset to a new secure random value
- Existing remote clients can no longer use the old client secret in supported OAuth2 grant processes to grant new tokens (Authorization Code, Resource Owner Password Credentials, Client Credentials)
- Existing granted tokens remain valid, to revoke all tokens application must be deleted
Again, the portal should clearly communicate the consequences of resetting an Application’s secret.
- depends on
-
OAUTH2-82 SCR006 List of OAuth2 Applications
-
- Closed
-
- relates
-
OAUTH2-178 DOC: Manage OAuth2 Application using OAuth2 Administration portlet
-
- Open
-
-
OAUTH2-106 SCR011 Reset Application Secret
-
- Closed
-