As part of an initiative to improve the handling of OAuth client credentials, the OAuth client secret will no longer be visible in the Admin UI except at the time of client creation or client secret reset.  There will be changes to the OAuth UI associated with the client secret removal as outlined below.  We are also taking this opportunity to make some additional improvements to the OAuth UI, which are also outlined below.

This is part 1 of 2 customer-affecting changes being made to improve the handling of OAuth client credentials. 

Part 1 involves removing the client secret from the Admin UI so that it is only available in the UI at the time of creating an OAuth client or when a new secret is requested. It will no longer be visible in the UI subsequently but it can still be retrieved temporarily via API to lessen the impact for customers that weren't prepared for this change.

Part 2 then involves removing the client secret from API responses to complete the OAuth client credential handling improvements. At that point, the client secret will no longer be visible in the Admin UI (post create/reset) and will not be returned in API responses (except via POST on client creation).

OAuth Main Page

We are adding a Status column on the OAuth Main page which will show the status of the OAuth Client and, in particular, if it has been deactivated. If you delete a client that was created more than 30 days ago, it will be in a deactivated state for seven days before permanent removal.  This change will improve visibility for deactivated clients.

Current UI

Updated UI

Add Client UI

We are making some changes to streamline the overall flow when adding a new client.  For example, in the current UI, if you select the Client Credentials Grant Type, you receive a warning that role assignment is required and you must switch to the Roles tab to assign roles.  In the Updated UI, this just becomes the next step in the workflow.  Clicking Next brings you to the Assign Roles screen, where you can then assign roles. 

Current UI

Updated UI

Client Secret

In the current UI, once you have entered the required details and clicked Save, the Client Secret is displayed in the UI.  It is always available in the UI subsequently when you view or edit the client. 

In the Updated UI, the Client Secret is obscured rather than being displayed in clear text.  You can click on the fisheye to view it in clear text if you wish.  However, you are also presented with a warning to copy the client secret now because you will not be able to see it again later.  

Current UI

Updated UI

You must copy the client secret and store it in a secure location, such as a secret's vault.  When you click next, you will be asked to confirm that you have copied and stored the client secret.

Once you have confirmed, you will see the client details.  However, in this case (or when you subsequently view or edit the client details, you will not see the client secret.  The only option available, in relation to the client secret, is to generate a new secret.  Text on the screen warns you that generating a new secret will replace the current secret and cannot be undone.  

In both the Current UI and Updated UI, when you click on the option to generate a new secret, you receive a pop up warning.  The wording on the Updated UI has been changed slightly.

Current UI

Updated UI

These changes have not yet been implemented by our development team so it will likely be some time in Q2 2025 before this is implemented.  I will update this post to advise of the likely implementation date once we get closer to release.  

The following is the link to the Developer Forum announcement related to the removal of the client secret from API responses - https://developer.genesys.cloud/forum/t/removal-of-oauth-client-secret-from-api-responses/31447

#Roadmap/NewFeatures
#Security

------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------

Would customers be able to get a list of their current Oauth client and secrets via this method?

get
/api/v2/oauth/clients

As part of an initiative to improve the handling of OAuth client credentials, the OAuth client secret will no longer be visible in the Admin UI except at the time of client creation or client secret reset.  There will be changes to the OAuth UI associated with the client secret removal as outlined below.  We are also taking this opportunity to make some additional improvements to the OAuth UI, which are also outlined below.

This is part 1 of 2 customer-affecting changes being made to improve the handling of OAuth client credentials. 

Part 1 involves removing the client secret from the Admin UI so that it is only available in the UI at the time of creating an OAuth client or when a new secret is requested. It will no longer be visible in the UI subsequently but it can still be retrieved temporarily via API to lessen the impact for customers that weren't prepared for this change.

Part 2 then involves removing the client secret from API responses to complete the OAuth client credential handling improvements. At that point, the client secret will no longer be visible in the Admin UI (post create/reset) and will not be returned in API responses (except via POST on client creation).

OAuth Main Page

We are adding a Status column on the OAuth Main page which will show the status of the OAuth Client and, in particular, if it has been deactivated. If you delete a client that was created more than 30 days ago, it will be in a deactivated state for seven days before permanent removal.  This change will improve visibility for deactivated clients.

Current UI

Updated UI

Add Client UI

We are making some changes to streamline the overall flow when adding a new client.  For example, in the current UI, if you select the Client Credentials Grant Type, you receive a warning that role assignment is required and you must switch to the Roles tab to assign roles.  In the Updated UI, this just becomes the next step in the workflow.  Clicking Next brings you to the Assign Roles screen, where you can then assign roles. 

Current UI

Updated UI

Client Secret

In the current UI, once you have entered the required details and clicked Save, the Client Secret is displayed in the UI.  It is always available in the UI subsequently when you view or edit the client. 

In the Updated UI, the Client Secret is obscured rather than being displayed in clear text.  You can click on the fisheye to view it in clear text if you wish.  However, you are also presented with a warning to copy the client secret now because you will not be able to see it again later.  

Current UI

Updated UI

You must copy the client secret and store it in a secure location, such as a secret's vault.  When you click next, you will be asked to confirm that you have copied and stored the client secret.

Once you have confirmed, you will see the client details.  However, in this case (or when you subsequently view or edit the client details, you will not see the client secret.  The only option available, in relation to the client secret, is to generate a new secret.  Text on the screen warns you that generating a new secret will replace the current secret and cannot be undone.  

In both the Current UI and Updated UI, when you click on the option to generate a new secret, you receive a pop up warning.  The wording on the Updated UI has been changed slightly.

Current UI

Updated UI

These changes have not yet been implemented by our development team so it will likely be some time in Q2 2025 before this is implemented.  I will update this post to advise of the likely implementation date once we get closer to release.  

The following is the link to the Developer Forum announcement related to the removal of the client secret from API responses - https://developer.genesys.cloud/forum/t/removal-of-oauth-client-secret-from-api-responses/31447

#Roadmap/NewFeatures
#Security

------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------