fix: move client_id from config to individual trusts

[cb80]

Move the client_id from the config into the database trust table.
Deprecate the client_id in the config, but leave it there to enable the data migration.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 18b5b2c7-18b9-4913-9f16-cc9866e7073c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alienvspredator]

Question: if we are moving client_id to be configured per trust, what do we do with client_secret when this authentication method is used? It should correspond to client_id

[cb80]

Question: if we are moving client_id to be configured per trust, what do we do with client_secret when this authentication method is used? It should correspond to client_id

I don't have an answer for this. With mTLS it is easy because there is one certificate, which is to be allowed in N identity providers. With client secret its tough, because N identity providers define N client secrets. For now the restriction seems to be, that all identity providers have to use the same client secret.

[cb80]

Question: if we are moving client_id to be configured per trust, what do we do with client_secret when this authentication method is used? It should correspond to client_id

@alienvspredator we could define a "credential resolver" interface, which receives the client_id and returns an http client. The implementation may look up the credential in some source e.g. config, k8s custom resources, vault. For the moment we ship a SimpleCredentialResolver, which expects a config like this:

credentialResolver:
  default:
    secretRef: # https://github.com/openkcm/common-sdk/blob/main/pkg/commoncfg/config.go#L191
  named:
  - name: <client_id>
    secretRef: ...