We are using identityserver4 for single-sign on and to protect our api resources. We have a scenarios where we are exposing our API endpoint to external apps using Client Credential mechanism. Now the business ask is to not share the client-secret to users in an offline mode rather than give them an option to do a self serve for periodically rotating their keys.
Now the problem is after the application starts and initial load of the in-memory clients, incase if we want to refresh the ClientId-ClientSecret for a Client we are unable to do that and the new credentials are in force only after we restart our application.
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(Configuration)) //Loading Clients
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<ProfileService>()
.AddDeveloperSigningCredential();
We are looking for an option were we can dynamically refresh client credential for our client apps. Any help is appreciated. Thanks :)
