Dustin C. Hatch
dbd9165626
It turns out, we do NOT want to keep one single, global OIDC client data structure. There are two major problems with this: 1. If the OIDC IdP happens to be unavailable when the process starts, Rocket will fail to ignite and the process will exit. This is unnecessary, since the only functionality that will be unavailable without the IdP is new logins; existing sessions/tokens will still be valid. 2. Identity providers can change keys, URLs, etc. at any time. If we cache everything and never look it up again, all future login attempts will fail until the server is restarted. The official recommendation for caching OIDC IdP configuration and keys is to use native HTTP cache control. Unfortunately, most IdPs explicitly disable caching of their HTTP responses.