Currently, the metadata for all OIDC clients is a single monolithic file in JSON format stored on each IdP server. There are several problems with this situation:
Any (necessarily manual) edit to the file risks corrupting the file which would break all OIDC integrations.
The client secrets are stored in the file, so any review or edit exposes these client secrets.
Combining secret and non-secret information is bad practice and would make containerization difficult.
Desired:
Create new files that hold the metadata for each client in a separate file.
Remove the client secrets from those files and store them in a separate location.
Write a script that combines the secrets and the non-secret metadata into the single file that Shibboleth needs.
The script should perform basic validation on the generated file: (a) require valid JSON; (b) require a list of objects, each of which is a set of key/value pairs; (c) warn on unknown key; (d) require valid data type for each value depending on its key.
The eventual vision is to store at least the metadata in the SPRegistry database (with lack of clarity on how the secrets should be stored), so the design should support migration to that future state.
Currently, the metadata for all OIDC clients is a single monolithic file in JSON format stored on each IdP server. There are several problems with this situation:
Desired:
The eventual vision is to store at least the metadata in the SPRegistry database (with lack of clarity on how the secrets should be stored), so the design should support migration to that future state.