diff --git a/config.template.yml b/config.template.yml index 69270a5d0..dbeb986f3 100644 --- a/config.template.yml +++ b/config.template.yml @@ -1521,6 +1521,10 @@ notifier: ## the 'client_secret_jwt' token_endpoint_auth_method. # token_endpoint_auth_signing_alg: HS256 + ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using + ## the 'client_secret_jwt' token_endpoint_auth_method. + # token_endpoint_auth_signing_alg: HS256 + ## The policy to require for this client; one_factor or two_factor. # authorization_policy: 'two_factor' diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index 69270a5d0..dbeb986f3 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -1521,6 +1521,10 @@ notifier: ## the 'client_secret_jwt' token_endpoint_auth_method. # token_endpoint_auth_signing_alg: HS256 + ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using + ## the 'client_secret_jwt' token_endpoint_auth_method. + # token_endpoint_auth_signing_alg: HS256 + ## The policy to require for this client; one_factor or two_factor. # authorization_policy: 'two_factor' diff --git a/internal/oidc/client_auth.go b/internal/oidc/client_auth.go index c852153bc..1b76d9438 100644 --- a/internal/oidc/client_auth.go +++ b/internal/oidc/client_auth.go @@ -74,8 +74,8 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context. return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("This requested OAuth 2.0 client only supports client authentication method '%s', however that method is not supported by this server.", oidcClient.GetTokenEndpointAuthMethod())) } - if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[JWTHeaderKeyAlgorithm]) { - return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm())) + if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[HeaderParameterAlgorithm]) { + return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm())) } switch t.Method { @@ -94,7 +94,7 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context. return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHint("This client does not support authentication method 'client_secret_jwt' as the client secret is not in plaintext.")) default: - return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm])) + return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm])) } }) diff --git a/internal/oidc/const.go b/internal/oidc/const.go index 2143236af..294ac4a1b 100644 --- a/internal/oidc/const.go +++ b/internal/oidc/const.go @@ -134,6 +134,10 @@ const ( PKCEChallengeMethodSHA256 = "S256" ) +const ( + HeaderParameterAlgorithm = "alg" +) + const ( FormParameterClientID = "client_id" FormParameterClientSecret = "client_secret" @@ -166,9 +170,6 @@ const ( const ( // JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token. JWTHeaderKeyIdentifier = "kid" - - // JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token. - JWTHeaderKeyAlgorithm = "alg" ) const (