# OIDC architecture discussion ## One cluster per discovery endpoint Pros: - Using clusters own discovery endpoint, no manual management is required Cons: - OIDC provider limit per account is an issue - If cluster is private, manual management of the discovery endpoint is still required ## Multiple clusters per discovery endpoint Pros: - Limited OIDC providers per account not an issue Cons: - Needs manual management as lifecycle of the discovery endpoint is not coupled to any cluster - If using unique SA signing key per cluster, jwks would need to be updated when clusters are added/deleted i.e. different key ID (kid) per cluster - Service accounts of the same name and namespace can assume roles created for other guest clusters whose roles trust the same OIDC provider (not really an issue since all those roles would have roughly the same permissions policies)