From 435d8e35fd80f3124507ca20d0dd5b56f4c153e1 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Sat, 15 Apr 2023 20:55:38 +1000
Subject: [PATCH] feat(oidc): client_secret_jwt authentication

This adds the authentication machinery for the client_secret_jwt Default Client Authentication Strategy.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
---
 config.template.yml                        | 4 ++++
 internal/configuration/config.template.yml | 4 ++++
 internal/oidc/client_auth.go               | 6 +++---
 internal/oidc/const.go                     | 7 ++++---
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/config.template.yml b/config.template.yml
index 69270a5d0..dbeb986f3 100644
--- a/config.template.yml
+++ b/config.template.yml
@@ -1521,6 +1521,10 @@ notifier:
         ## the 'client_secret_jwt' token_endpoint_auth_method.
         # token_endpoint_auth_signing_alg: HS256
 
+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
         ## The policy to require for this client; one_factor or two_factor.
         # authorization_policy: 'two_factor'
 
diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml
index 69270a5d0..dbeb986f3 100644
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@@ -1521,6 +1521,10 @@ notifier:
         ## the 'client_secret_jwt' token_endpoint_auth_method.
         # token_endpoint_auth_signing_alg: HS256
 
+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
         ## The policy to require for this client; one_factor or two_factor.
         # authorization_policy: 'two_factor'
 
diff --git a/internal/oidc/client_auth.go b/internal/oidc/client_auth.go
index c852153bc..1b76d9438 100644
--- a/internal/oidc/client_auth.go
+++ b/internal/oidc/client_auth.go
@@ -74,8 +74,8 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.
 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("This requested OAuth 2.0 client only supports client authentication method '%s', however that method is not supported by this server.", oidcClient.GetTokenEndpointAuthMethod()))
 			}
 
-			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[JWTHeaderKeyAlgorithm]) {
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
+			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[HeaderParameterAlgorithm]) {
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
 			}
 
 			switch t.Method {
@@ -94,7 +94,7 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.
 
 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHint("This client does not support authentication method 'client_secret_jwt' as the client secret is not in plaintext."))
 			default:
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm]))
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm]))
 			}
 		})
 
diff --git a/internal/oidc/const.go b/internal/oidc/const.go
index 2143236af..294ac4a1b 100644
--- a/internal/oidc/const.go
+++ b/internal/oidc/const.go
@@ -134,6 +134,10 @@ const (
 	PKCEChallengeMethodSHA256 = "S256"
 )
 
+const (
+	HeaderParameterAlgorithm = "alg"
+)
+
 const (
 	FormParameterClientID            = "client_id"
 	FormParameterClientSecret        = "client_secret"
@@ -166,9 +170,6 @@ const (
 const (
 	// JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token.
 	JWTHeaderKeyIdentifier = "kid"
-
-	// JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token.
-	JWTHeaderKeyAlgorithm = "alg"
 )
 
 const (