feat(oidc): client_secret_jwt authentication

This adds the authentication machinery for the client_secret_jwt Default Client Authentication Strategy.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

config.template.yml

@@ -1521,6 +1521,10 @@ notifier:
         ## the 'client_secret_jwt' token_endpoint_auth_method.
         # token_endpoint_auth_signing_alg: HS256
 
+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
         ## The policy to require for this client; one_factor or two_factor.
         # authorization_policy: 'two_factor'
 

internal/configuration/config.template.yml

@@ -1521,6 +1521,10 @@ notifier:
         ## the 'client_secret_jwt' token_endpoint_auth_method.
         # token_endpoint_auth_signing_alg: HS256
 
+        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
+        ## the 'client_secret_jwt' token_endpoint_auth_method.
+        # token_endpoint_auth_signing_alg: HS256
+
         ## The policy to require for this client; one_factor or two_factor.
         # authorization_policy: 'two_factor'
 

internal/oidc/client_auth.go

@@ -74,8 +74,8 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.
 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("This requested OAuth 2.0 client only supports client authentication method '%s', however that method is not supported by this server.", oidcClient.GetTokenEndpointAuthMethod()))
 			}
 
-			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[JWTHeaderKeyAlgorithm]) {
+			if oidcClient.GetTokenEndpointAuthSigningAlgorithm() != fmt.Sprintf("%s", t.Header[HeaderParameterAlgorithm]) {
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' uses signing algorithm '%s' but the requested OAuth 2.0 Client enforces signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm], oidcClient.GetTokenEndpointAuthSigningAlgorithm()))
 			}
 
 			switch t.Method {
@@ -94,7 +94,7 @@ func (p *OpenIDConnectProvider) DefaultClientAuthenticationStrategy(ctx context.
 
 				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHint("This client does not support authentication method 'client_secret_jwt' as the client secret is not in plaintext."))
 			default:
-				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[JWTHeaderKeyAlgorithm]))
+				return nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHintf("The 'client_assertion' request parameter uses unsupported signing algorithm '%s'.", t.Header[HeaderParameterAlgorithm]))
 			}
 		})
 

internal/oidc/const.go

@@ -134,6 +134,10 @@ const (
 	PKCEChallengeMethodSHA256 = "S256"
 )
 
+const (
+	HeaderParameterAlgorithm = "alg"
+)
+
 const (
 	FormParameterClientID            = "client_id"
 	FormParameterClientSecret        = "client_secret"
@@ -166,9 +170,6 @@ const (
 const (
 	// JWTHeaderKeyIdentifier is the JWT Header referencing the JWS Key Identifier used to sign a token.
 	JWTHeaderKeyIdentifier = "kid"
-
-	// JWTHeaderKeyAlgorithm is the JWT Header referencing the JWS Key algorithm used to sign a token.
-	JWTHeaderKeyAlgorithm = "alg"
 )
 
 const (