As a service owner, I want to be able to connect ephemeral services to OIDCng dynamically

[baszoetekouw]

Usecase from SDP: applications are built in CI, and get assigned a synamic domain like ci-mybranch-myproject.dev.example.org. These projects are used for CI tests, but are kept online as a "preview environment". To actually use the preview, the connection to SURFconext (test) need to work and be active.

I see two ways to be able to support this:

1. introduce dynamic client registration
2. allow regexps/wildcards in redirect endpoints

Option 2 is easiest to implement, but we need to be careful if we want to allow this for all services (probably not). Option 1 is more work to implement, but we need this feature for OID-fed anyway, I think.

[baszoetekouw]

@quartje Do you remember why wildcards weren't implemented in the first place?

@HarryKodden @surfnet-niels Do you need dynamic client registration for the OID-fed pilot soonish? Or is that not required yet?

[tvdijen]

I have a use-case for Dynamic Client Registration as well