In the current POC, the console backend assumes the OAuth client secret will be the same for each managed cluster. Ideally, we will support allowing each cluster to have a unique OAuth client secret for the hub console.

The SSO operator will handle creating the OAuthClient on each spoke cluster. It can add the secrets to the openshift-config-managed namespace on the hub cluster, which the console operator can read and pass to the console backend as config.

The backend already has separate authenticators for each cluster, each with holding its own secret. The backend simply needs a way to read those secrets from the console config.