Runbook: Rotate OAuth2-Proxy Cookie Secret

Purpose

Rotate the OAuth2-Proxy cookie secret to invalidate old sessions and improve security.

Prerequisites

• SSH access to odin
• Maintenance window (users will need to re-authenticate)

Procedure

Step 1: Generate a new secret

openssl rand -base64 32

Step 2: Update secrets

ssh ravenhelm@100.115.101.81 "vim ~/ravenhelm/secrets/.env"

Update the OAUTH2_PROXY_COOKIE_SECRET value.

Step 3: Restart OAuth2-Proxy

ssh ravenhelm@100.115.101.81 "docker restart oauth2-proxy"

Verification

• New logins succeed
• Existing sessions require re-authentication

Rollback

Revert the secret to the previous value and restart OAuth2-Proxy.

Related

• Authentication Issues
• Identity Management