We are trying to rotate our OAuth client secret for the Embeddable Client App SDK integration, but we don’t want to kick all active agents offline. The current implementation uses the default OAuth2Authenticator from the Genesys Cloud .NET SDK, which seems to cache the token for the full duration.
Here is the basic setup we are using to initialize the API client:
var config = new Configuration.Builder()
.WithClientId(clientId)
.WithClientSecret(oldSecret)
.WithScopes(new List<string> { "agent:login", "user:read" })
.Build();
var apiClient = new ApiClient(config);
If we update the clientSecret in the environment variables or config file on the server, the running application doesn’t pick it up until it restarts. If we restart, the refresh_token becomes invalid because it was tied to the old secret, forcing a re-auth flow for everyone.
Is there a way to programmatically swap the secret in the Configuration object at runtime? We tried calling config.UpdateClientSecret(newSecret) but that method doesn’t exist in the 8.x SDK. We also looked at implementing a custom IAuthenticationProvider to handle the secret lookup dynamically during the token refresh callback, but the SDK documentation is sparse on overriding the internal token cache behavior.
Has anyone managed a zero-downtime secret rotation in .NET? We need the new secret to be used for the next refresh token request without invalidating the current access tokens held by the agents.