Shared IDP - Audience Only

[ikethecoder]

Description: Allows the use of a Shared IdP, using the Audience to delineate one API from another.

• Introduce inheritFrom and shared fields on the CredentialIssuer
• Enforce that setting shared=true must have the namespace permission protected-ns=allow
• Choosing to use a shared IdP must be done at time of creation and not able to be changed after
• The clientId is set to the unique client representing the particular Authorization Profile
• For new minted credentials, the clientId will be set in the audience claim of the Bearer Token
• Generate error on save of CredentialIssuer if Scopes are set and inheritFrom is set (Scopes are not supported)
• Ensure the jwt-keycloak plugin will enforce the audience and not allow traffic with a token from a different audience

[sienna-blumstengel-bcgov]

Elisa has reviewed the UI and all is good.
Messaging on the options could be improved. Include the instructions on why you would choose which.

Aidan's considerations:

• when you click edit, it is confusing, you see the text but no option to change the radio button
• If we add lots of text, it pushes the other content down which we don't want

Elisa's reply:

• @elisafw-ux will put some consideration into the edit state
• The extending of the box down is ok
• Let's also add more text to each option.
  • Carol-Anne and Sienna review the proposed text by Aidan?

Maybe consider the following, but sanitized to not mention any specific BC GOV things?:

Use a custom IDP if:

• You already have your own Keycloak instance
• You are using SSO Pathfinder's Keycloak instance with a Custom Realm

Use the shared IDP if:

• You want to use Client Credential Grant Flow to protect an API and SSO Pathfinder Keycloak (custom or standard realms) is not an option for you.