Moved into its own plugin and tested.

After discussion with @Scott Cantor and @Henri Mikkonen this work has moved into a new plugin java-idp-plugin-oidc-config. Commons will not contain any shared configuration. The RP and OP will directly depend on the new module (id: idp.oidc.config.1) which will depend on oidc-commons. They will need to be installed in the correct order with the possibility of the installer handling this in the future.

We also removed the properties files and conf/ XML configuration from the plugin and back into the OP and RP. Consequently, the new plugin only holds JAR-based configuration automatically applied by the IdP.

Further updates on this issue will refer to java-idp-plugin-oidc-config.

I merged the branch into main. We can adjust it from there.

The only remaining issue with the OIDC.SSO bean is the use of the DefaultJWTClaimsValidator bean as the claims validator. The RP does not supply that, so the config will not load without the OP. I propose using the getObject syntax for this, such that it could be null if not supplied.

Obviously, we need to check the OP does not just ignore JWT validation if the bean is null (although once the OP is installed it should pick it up).

After speaking to @Henri Mikkonen, it seems best not to make commons V2.2.0 responsible for a shared security properties file, so that it does not confuse deployers on upgrade. This could be added back for commons V3.0.0.