Handling secret rotation of third-party applications

I have a third party application that is powering a backend service that calls Foundry APIs. Security regulations require regular secret rotation. Whenever I rotate the secret of an OAuth application in Foundry, the old secret immediately stops working, causing errors in my backend application until the new secret can be added.

What is the recommended way to gracefully rotate client secrets in third party/oauth applications?

The ungraceful way to do it is to create two OAuth applications, A and B, with identical scopes. Say your app starts off using client A and it’s time to rotate the secret.

1. Rotate client B’s secret. Client B is unused, so this won’t break anything.
2. Switch your app from using client A to client B, with the corresponding new secret.
3. Optionally, wait until client A is fully unused and then rotate its secret. This step is not technically necessary because client A won’t be in use at that point.

Then, when it’s time to rotate again, do the same thing in reverse.

I fully admit that this is an ugly hack. I’ll convert this question to a feature request on our end, since I think it’s reasonable to want something better than this.

big +1 for this feature request!