Security Notes

• Store clientSecret outside source control in environment-specific configuration.

• Use HTTPS for the issuer, redirect URI, SCIM URI, and service endpoints.

• Keep validateIssuer=true and validateAudience=true unless you are diagnosing a non-production setup.

• Password grant is currently required by PASService and CycleService, so restrict that client carefully at the IdP.