We are Implementing OpenID Connect in SiteMinder and I was asked the following question by one of our Sr. engineers. I thought it was an excellent question so I thought I would post it here for comment.
Why did CA/Broadcom implement the OpenID Connect encryption certificate on the Authorization provider instead of the client configuration object?
To encrypt an ID token or userinfo response, the client would provide the public key of their certificate to the authorization server and then decrypt the information using the clients private key. This public key certificate that the authorization provider uses will be unique on a client by client basis.
By storing the clients public key certificate in the authorization provider object, (I think) it means you will have to create both a client and an authorization provider object for every OIDC integration that requires encryption. (which will be most of them in our case)
Am I missing something? If this is by design, what was the thought process or reasoning behind it?
Thanks,
Josh