Cloud APIs
/
Develop Apps and Add-ons
/Security/
Secret Management Service
Last updated

Secrets Management

Introduction

The Client Secret API is used to manage secrets of SLB Authenticator confidential clients and allows applications to:

  • Create a secret for an existing client
  • Get the list of secrets of a client
  • Rotate secret (Create a new secret and revoke an existing secret)
  • Revoke a secret

Authorization Token

All these APIs expect SLB Authenticator CCG token and the audience of the token should be a626328313944601ba26cd1ffbaf6a53 and does not require any whitelisting.

Note:

  • The subject of the token should be the clientID to which you want to manage secrets for.
  • Secrets that are created using these APIs will work just like a secret that was generated during client creation i.e. it can be used in Client Credential Grant.

Secret Management APIs

Create a Secret

This API allows to create a secret for a SLB Authenticator Confidential Client.

POST /v1/clients/{clientID}/secrets

A secret will be created for the given client. The following are three sample cURL and outputs for generating a secret for client.

CaseSample cURLSample Output
Case 1: When a user wants to create a secret for client.
For example, when a user wants to create a new secret for confidential client with clientID '01729e667abd48e3bba47afea66f5a57'.		curl --location --request POST
'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets'
\
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token' \
--data-raw '{
"secretName": "second secret"
}'		{
"secretId": "d358e35b50b44075b7c2570171edaa07",
 "secretName": "second secret",
 "secretValue": "3c4a6854c6fc4ebf80585bb0d7c5bbbd3a7e06915a5e727f0"
}
Case 2: When a user wants to create a secret for client and subject of the token is not '01729e667abd48e3bba47afea66f5a57'
For example, when a user wants to create a new secret for confidential client with clientID '01729e667abd48e3bba47afea66f5a57'.		curl --location --request POST 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token' \
--data-raw '{
"secretName": "second secret"
}'		{
  "Message": "UnAuthorized"
}
Case 3: When a user wants to create a secret for client.
For example, when a user wants to create a thirteenth secret for confidential client with clientID '01729e667abd48e3bba47afea66f5a57'		curl --location --request POST 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token' \
--data-raw '{
"secretName": "thirteenth secret"
}'		{
  "Message": "Maximum number of secrets reached for the given client"
}

Get Secrets

This API is used to list the secrets of SLB Authenticator Confidential Client. Secret that was generated during client creation is not yet included in Get secrets response GET /v1/clients/{clientID}/secrets

Sample cURLSample Output
curl --location --request GET 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token'		{
"secrets": [
{
"secretId": "a58cffd4518b4f5881297aea3995c987",
"secretName": "frist secret"
},
{
"secretId": "d358e35b50b44075b7c2570171edaa07",
"secretName": "second secret"
}
]
}

Rotate Secret

A new secret will be created for the given client and given secretId will be revoked. The following are three sample cURL and outputs for performing a secret rotation for client.

PUT /v1/clients/{clientID}/secrets

CaseSample cURLSample Output
Case 1: When a user tries to perform secret rotation for client.
For example, when a user wants to create a new secret for confidential client with clientID '01729e667abd48e3bba47afea66f5a57' and revokes an existing secret with id a58cffd4518b4f5881297aea3995c987 and it's name is 'final secret' .		curl --location --request PUT 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token' \
--data-raw '{
"secretName": "new secret",
"existingSecretId": "a58cffd4518b4f5881297aea3995c987"
}'		{
 "revokedSecretId": "a58cffd4518b4f5881297aea3995c987",
  "revokedSecretName": "first secret",
  "secretId": "5af2359d489e4c7aa96f96b87f6482ab",
  "secretName": "rotated secret",
  "secretValue": "2ed3f97189d70befadd8d26282dee693492f8bf52994483c7"
}
Case 2: When a user tries to perform secret rotation for client.
For example, when a user wants to create a new secret for confidential client with clientID '01729e667abd48e3bba47afea66f5a57' and secret with id a58cffd4518b4f5881297aea3995c987 does not exist.		curl --location --request PUT 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token' \
--data-raw '{
"secretName": "rotated secret",
"existingSecretId": "a58cffd4518b4f5881297aea3995c987"
}'		{
  "Message": "Secret Not Found"
}

Revoke Secret

Revoke a specific secret for a client. After revoking that secret value cannot be used in CCG.

DELETE /v1/clients/{clientID}/secrets/{secretID}

Sample cURLSample Output
curl --location --request DELETE 'https://api.delfi.slb.com/auth/client/v1/clients/01729e667abd48e3bba47afea66f5a57/secrets/d358e35b50b44075b7c2570171edaa07' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'AppKey: your-appkey' \
--header 'Authorization: Bearer your-ccg-token'		{
"id": "d358e35b50b44075b7c2570171edaa07",
"message": "Revoked"
}

Limitations

There are mainly 2 limitations:

  • At any point of time a confidential client can only have maximum of 12 secrets. New secret cannot be created once the limit is reached.
  • Secret Value will be available only when secret creation is happened (Create and Rotate) and is not stored anywhere and cannot be retrieved.
  • Cannot modify secret that was created during client creation.

Create & manage apps

About