Keeping OIDC client_secret out of git

Darren Boss darren.boss at
Tue Jun 30 15:09:27 UTC 2020

For our IdP configuration we keep everything in a git repository which
gets cloned when the IdP starts up with the exception for secrets
which so far I've been able to load from a different source
(Kubernetes secrets) but I'm having a hard time coming up with a
solution for the OIDC metadata.

Is anyone doing something similar and come up with a solution? So far
I'm only using trusted RPs backed by metadata in the filesystem. I
would like to get the client_secret out of the metadata files and
stored somewhere else. It could be another file on the filesystem
which allows me to load it from another source.
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at

More information about the users mailing list