Keeping OIDC client_secret out of git
Wessel, Keith
kwessel at illinois.edu
Tue Jun 30 15:46:08 UTC 2020
In AWS Fargate, we're storing the OIDC static client metadata including secrets in a persistent mounted EFS volume. It's easily and quickly too big to fit into any type of container env secret management, and we definitely didn't want that in Github. So, an externally mounted volume is probably the way to go.
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Darren Boss
Sent: Tuesday, June 30, 2020 10:09 AM
To: Shib Users <users at shibboleth.net>
Subject: Keeping OIDC client_secret out of git
For our IdP configuration we keep everything in a git repository which gets cloned when the IdP starts up with the exception for secrets which so far I've been able to load from a different source (Kubernetes secrets) but I'm having a hard time coming up with a solution for the OIDC metadata.
Is anyone doing something similar and come up with a solution? So far I'm only using trusted RPs backed by metadata in the filesystem. I would like to get the client_secret out of the metadata files and stored somewhere else. It could be another file on the filesystem which allows me to load it from another source.
--
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
darren.boss at computecanada.ca
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list