[Openid-specs-ab] Relying Party libraries

[George Fletcher]

I've run into a few things over the last year rolling out OpenID Connect 
within the enterprise for our B2B partners. I see the RP dev work 
falling into three main areas...

1. Code to implement the spec and it's best practice
2. Securely managing client_id "secrets" whether private key or shared 
secret
3. Securely managing returned tokens

There are many libraries that handle #1 but I haven't seen code that 
addresses items 2 and 3. Any recommendations or interest in items 2 and 3?

On the working group call today, we talked about two architectures to 
help RPs. One is more of a "gateway" model where the gateway does all 
the OIDC work and then passes the necessary data down stream to the RP. 
This could be a service so that RP has no deployment work. The other 
model is more of a module deployed by the RP that handles items 1-3 on 
the RPs behalf.

Thanks,
George