Keeping OIDC client_secret out of git

Wessel, Keith kwessel at
Tue Jun 30 15:46:08 UTC 2020

In AWS Fargate, we're storing the OIDC static client metadata including secrets in a persistent mounted EFS volume. It's easily and quickly too big to fit into any type of container env secret management, and we definitely didn't want that in Github. So, an externally mounted volume is probably the way to go.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Darren Boss
Sent: Tuesday, June 30, 2020 10:09 AM
To: Shib Users <users at>
Subject: Keeping OIDC client_secret out of git

For our IdP configuration we keep everything in a git repository which gets cloned when the IdP starts up with the exception for secrets which so far I've been able to load from a different source (Kubernetes secrets) but I'm having a hard time coming up with a solution for the OIDC metadata.

Is anyone doing something similar and come up with a solution? So far I'm only using trusted RPs backed by metadata in the filesystem. I would like to get the client_secret out of the metadata files and stored somewhere else. It could be another file on the filesystem which allows me to load it from another source.
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list