We’re preparing for a security audit that requires rotating our OAuth client secrets every 90 days without taking our Android app offline. The app uses the Genesys Cloud Web Messaging SDK, which relies on the underlying genesys-cloud-auth library for token management.
The current flow in our Kotlin backend is pretty standard. We fetch a new access token using POST /oauth/token with the client credentials grant. The issue is that if we rotate the secret in the Genesys admin console while the app is running, the old secret becomes invalid immediately. The SDK doesn’t seem to have a built-in “grace period” or dual-secret validation mechanism for client credentials grants.
I’m looking at the SDK source code for OAuthManager. It caches the token and refreshes it before expiration, but it throws a 401 Unauthorized if the secret is invalid during the refresh call. This causes a hard failure for active sessions.
Here’s the relevant snippet from our token refresh logic:
fun refreshToken(): TokenResponse {
val request = TokenRequest(
grantType = "client_credentials",
clientId = config.clientId,
clientSecret = config.clientSecret, // This becomes invalid on rotation
scope = "webmessaging"
)
return oauthClient.fetchToken(request)
}
If I rotate the secret, config.clientSecret is stale. The next time the SDK tries to refresh, it crashes. I can’t just update the config file and restart the app because that would drop all active web messaging sessions.
Is there a recommended pattern for rotating secrets in the client credentials grant flow? Can we use the /oauth/token/verify endpoint to check validity before attempting a refresh? Or is there a way to configure the SDK to handle transient auth errors more gracefully by falling back to a cached token or retrying with a new secret if provided via a webhook?
Any code examples or SDK configuration tweaks would be appreciated. We need to keep the messaging channels open during the rotation window.