feat(oidc): client_secret_jwt authentication

This adds the authentication machinery for the client_secret_jwt Default Client Authentication Strategy. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 20:55:38 +10:00 · 2023-04-15 20:55:38 +10:00 · 435d8e35fd
parent a34b1412ed
commit 435d8e35fd
4 changed files with 15 additions and 6 deletions
--- a/config.template.yml
+++ b/config.template.yml
@ -1521,6 +1521,10 @@ notifier:
        ## the 'client_secret_jwt' token_endpoint_auth_method.
        # token_endpoint_auth_signing_alg: HS256

+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
        ## The policy to require for this client; one_factor or two_factor.
        # authorization_policy: 'two_factor'

--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@ -1521,6 +1521,10 @@ notifier:
        ## the 'client_secret_jwt' token_endpoint_auth_method.
        # token_endpoint_auth_signing_alg: HS256

+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
        ## The policy to require for this client; one_factor or two_factor.
        # authorization_policy: 'two_factor'

--- a/internal/oidc/client_auth.go
+++ b/internal/oidc/client_auth.go
@ -74,8 +74,8 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.
 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("This requested OAuth 2.0 client only supports client authentication method '%s', however that method is not supported by this server.", oidcClient.GetTokenEndpointAuthMethod()))
 			}

-			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[JWTHeaderKeyAlgorithm]) {
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
+			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[HeaderParameterAlgorithm]) {
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
 			}

 			switch t.Method {
@ -94,7 +94,7 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.

 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHint("This client does not support authentication method 'client_secret_jwt' as the client secret is not in plaintext."))
 			default:
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm]))
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm]))
 			}
 		})

--- a/internal/oidc/const.go
+++ b/internal/oidc/const.go
@ -134,6 +134,10 @@ const (
 	PKCEChallengeMethodSHA256 = "S256"
 )

+const (
+	HeaderParameterAlgorithm = "alg"
+)
+
 const (
 	FormParameterClientID            = "client_id"
 	FormParameterClientSecret        = "client_secret"
@ -166,9 +170,6 @@ const (
 const (
 	// JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token.
 	JWTHeaderKeyIdentifier = "kid"
-
-	// JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token.
-	JWTHeaderKeyAlgorithm = "alg"
 )

 const (