PKCE and Adding private key JWT support for OIDC (#22732)

* Adding private key JWT support for OIDC

Author: panman90

.changelog/22732.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+oidc: add client authentication using JWT assertion and PKCE. default PKCE is enabled.
+```

api/acl.go

@@ -483,12 +483,14 @@ type OIDCAuthMethodConfig struct {
 	OIDCDiscoveryURL    string            `json:",omitempty"`
 	OIDCDiscoveryCACert string            `json:",omitempty"`
 	// just for type=oidc
-	OIDCClientID        string   `json:",omitempty"`
-	OIDCClientSecret    string   `json:",omitempty"`
-	OIDCScopes          []string `json:",omitempty"`
-	OIDCACRValues       []string `json:",omitempty"`
-	AllowedRedirectURIs []string `json:",omitempty"`
-	VerboseOIDCLogging  bool     `json:",omitempty"`
+	OIDCClientID        string               `json:",omitempty"`
+	OIDCClientSecret    string               `json:",omitempty"`
+	OIDCClientAssertion *OIDCClientAssertion `json:",omitempty"`
+	OIDCClientUsePKCE   *bool                `json:",omitempty"`
+	OIDCScopes          []string             `json:",omitempty"`
+	OIDCACRValues       []string             `json:",omitempty"`
+	AllowedRedirectURIs []string             `json:",omitempty"`
+	VerboseOIDCLogging  bool                 `json:",omitempty"`
 	// just for type=jwt
 	JWKSURL              string        `json:",omitempty"`
 	JWKSCACert           string        `json:",omitempty"`
@@ -513,6 +515,8 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
 		// just for type=oidc
 		"OIDCClientID":        c.OIDCClientID,
 		"OIDCClientSecret":    c.OIDCClientSecret,
+		"OIDCClientAssertion": c.OIDCClientAssertion,
+		"OIDCClientUsePKCE":   c.OIDCClientUsePKCE,
 		"OIDCScopes":          c.OIDCScopes,
 		"OIDCACRValues":       c.OIDCACRValues,
 		"AllowedRedirectURIs": c.AllowedRedirectURIs,
@@ -528,6 +532,16 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
 	}
 }
 
+type OIDCClientAssertion struct {
+	Audience     []string
+	PrivateKey   *OIDCClientAssertionKey
+	KeyAlgorithm string
+}
+
+type OIDCClientAssertionKey struct {
+	PemKey string
+}
+
 type ACLLoginParams struct {
 	AuthMethod  string
 	BearerToken string

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/armon/go-metrics v0.4.1
 	github.com/armon/go-radix v1.0.0
 	github.com/aws/aws-sdk-go v1.55.7
-	github.com/coreos/go-oidc/v3 v3.9.0
+	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/deckarep/golang-set/v2 v2.3.1
 	github.com/docker/go-connections v0.4.0
 	github.com/envoyproxy/go-control-plane v0.13.4
@@ -37,12 +37,14 @@ require (
 	github.com/go-openapi/runtime v0.26.2
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-viper/mapstructure/v2 v2.4.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gofuzz v1.2.0
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
 	github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75
+	github.com/hashicorp/cap v0.10.0
 	github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a
 	github.com/hashicorp/consul-net-rpc v0.0.0-20221205195236-156cfab66a69
 	github.com/hashicorp/consul/api v1.31.2
@@ -191,6 +193,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect

go.sum

@@ -197,8 +197,8 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/etcd v3.3.27+incompatible h1:QIudLb9KeBsE5zyYxd1mjzRSkzLg9Wf9QlRwFgd6oTA=
 github.com/coreos/etcd v3.3.27+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo=
-github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
@@ -279,6 +279,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
+github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -331,6 +333,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
 github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -445,6 +449,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rH
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
 github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75 h1:V5Uqf7VoWMd6UhNf/5EMA8LMPUm95GYvk2YF5SzT24o=
 github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75/go.mod h1:5eEnHfK72jOkp4gC1dI/Q/E9MFNOM/ewE/vql5ijV3g=
+github.com/hashicorp/cap v0.10.0 h1:OJM3JQTwVO1DigRIPNTxM387oqXlokKhttZHotU0b1s=
+github.com/hashicorp/cap v0.10.0/go.mod h1:HKbv27kfps+wONFNyNTHpAQmU/DCjjDuB5HF6mFsqPQ=
 github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a h1:Qd0N8lIr1QP/d7FYxseYjRLUtJp2+2R8k+mjiC2rmiY=
 github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a/go.mod h1:++exZ1sI8JLIv4QvzGvTjZdf1eZARoZcaNEjNT9SZYA=
 github.com/hashicorp/consul-net-rpc v0.0.0-20221205195236-156cfab66a69 h1:wzWurXrxfSyG1PHskIZlfuXlTSCj1Tsyatp9DtaasuY=

internal/go-sso/oidcauth/auth.go

@@ -17,6 +17,7 @@ import (
 	"sync"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	capOidc "github.com/hashicorp/cap/oidc"
 	"github.com/hashicorp/go-hclog"
 	"github.com/patrickmn/go-cache"
 )
@@ -41,8 +42,14 @@ type Authenticator struct {
 
 	// parsedJWTPubKeys is the parsed form of config.JWTValidationPubKeys
 	parsedJWTPubKeys []interface{}
-	provider         *oidc.Provider
-	keySet           oidc.KeySet
+
+	// provider is the coreos/go-oidc provider used for JWT validation
+	provider *oidc.Provider
+
+	// capProvider is the HashiCorp CAP library provider used for OIDC flows
+	// with support for private key JWT client authentication
+	capProvider *capOidc.Provider
+	keySet      oidc.KeySet
 
 	// httpClient should be configured with all relevant root CA certs and be
 	// reused for all OIDC or JWKS operations. This will be nil for the static
@@ -86,13 +93,43 @@ func New(c *Config, logger hclog.Logger) (*Authenticator, error) {
 	}
 	a.backgroundCtx, a.backgroundCtxCancel = context.WithCancel(context.Background())
 
+	var err error
 	if c.Type == TypeOIDC {
 		a.oidcStates = cache.New(oidcStateTimeout, oidcStateCleanupInterval)
 	}
 
-	var err error
 	switch c.authType() {
-	case authOIDCDiscovery, authOIDCFlow:
+	case authOIDCFlow:
+		var supported []capOidc.Alg
+		if len(a.config.JWTSupportedAlgs) == 0 {
+			// Default to RS256 if nothing is specified.
+			supported = []capOidc.Alg{capOidc.RS256}
+		} else {
+			for _, alg := range a.config.JWTSupportedAlgs {
+				supported = append(supported, capOidc.Alg(alg))
+			}
+		}
+		// Use CAP's OIDC provider to leverage its built-in support for
+		// both standard client secret and JWT assertion authentication methods
+		providerConfig, err := capOidc.NewConfig(
+			a.config.OIDCDiscoveryURL,
+			a.config.OIDCClientID,
+			capOidc.ClientSecret(a.config.OIDCClientSecret),
+			supported,
+			a.config.AllowedRedirectURIs,
+			capOidc.WithAudiences(a.config.BoundAudiences...),
+			capOidc.WithProviderCA(a.config.OIDCDiscoveryCACert),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("error creating provider config: %v", err)
+		}
+
+		provider, err := capOidc.NewProvider(providerConfig)
+		if err != nil {
+			return nil, fmt.Errorf("error creating provider: %v", err)
+		}
+		a.capProvider = provider
+	case authOIDCDiscovery:
 		a.httpClient, err = createHTTPClient(a.config.OIDCDiscoveryCACert)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing OIDCDiscoveryCACert: %v", err)

internal/go-sso/oidcauth/auth_test.go

@@ -0,0 +1,166 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package oidcauth
+
+import (
+	"testing"
+	"time"
+
+	"github.com/hashicorp/consul/internal/go-sso/oidcauth/oidcauthtest"
+	"github.com/hashicorp/go-hclog"
+	"github.com/patrickmn/go-cache"
+	"github.com/stretchr/testify/assert"
+)
+
+func mockConfig(typ string, t *testing.T) *Config {
+	t.Helper()
+
+	srv := oidcauthtest.Start(t)
+	srv.SetClientCreds("abc", "def")
+	cfg := &Config{
+		Type: typ,
+	}
+	if typ == TypeJWT {
+		cfg.JWKSURL = srv.Addr() + "/certs"
+		cfg.JWKSCACert = srv.CACert()
+	}
+	if typ == TypeOIDC {
+		cfg.OIDCDiscoveryURL = srv.Addr()
+		cfg.OIDCClientID = "abc"
+		cfg.OIDCClientSecret = "def"
+		cfg.AllowedRedirectURIs = []string{"https://redirect"}
+		cfg.OIDCDiscoveryCACert = srv.CACert()
+	}
+	return cfg
+}
+
+const testPublicKeyPEM = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9
+q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
+-----END PUBLIC KEY-----`
+
+func TestAuthenticator_JWTGroup(t *testing.T) {
+	t.Run("JWTType static keys", func(t *testing.T) {
+		cfg := mockConfig(TypeJWT, t)
+		cfg.JWTValidationPubKeys = []string{testPublicKeyPEM}
+		cfg.JWKSURL = ""
+		cfg.JWKSCACert = ""
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth)
+		assert.Equal(t, cfg, auth.config)
+		assert.NotEmpty(t, auth.parsedJWTPubKeys)
+	})
+
+	t.Run("JWTType JWKS", func(t *testing.T) {
+		cfg := mockConfig(TypeJWT, t)
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth)
+		assert.Equal(t, cfg, auth.config)
+	})
+
+	t.Run("JWTType failure", func(t *testing.T) {
+		cfg := mockConfig(TypeJWT, t)
+		cfg.OIDCClientID = "abc"
+		logger := hclog.NewNullLogger()
+		_, err := New(cfg, logger)
+		assert.Error(t, err)
+		requireErrorContains(t, err, "'OIDCClientID' must not be set for type")
+	})
+
+	t.Run("Stop", func(t *testing.T) {
+		cfg := mockConfig(TypeJWT, t)
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth.backgroundCtxCancel)
+		auth.Stop()
+		assert.Nil(t, auth.backgroundCtxCancel)
+	})
+
+	t.Run("BackgroundContextCancel", func(t *testing.T) {
+		cfg := mockConfig(TypeJWT, t)
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		done := make(chan struct{})
+		go func() {
+			<-auth.backgroundCtx.Done()
+			close(done)
+		}()
+		auth.Stop()
+		select {
+		case <-done:
+		case <-time.After(time.Second):
+			t.Fatal("backgroundCtx was not cancelled")
+		}
+	})
+}
+
+func TestAuthenticator_OIDCGroup(t *testing.T) {
+	t.Run("OIDCType", func(t *testing.T) {
+		cfg := mockConfig(TypeOIDC, t)
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth.capProvider)
+		assert.NotNil(t, auth.oidcStates)
+	})
+
+	t.Run("OIDCDiscovery", func(t *testing.T) {
+		srv := oidcauthtest.Start(t)
+		srv.SetClientCreds("abc", "def")
+		cfg := mockConfig(TypeJWT, t)
+		cfg.JWKSURL = ""
+		cfg.JWKSCACert = ""
+		cfg.OIDCDiscoveryURL = srv.Addr()
+		cfg.OIDCDiscoveryCACert = srv.CACert()
+
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth)
+		assert.NotNil(t, auth.provider)
+		assert.NotNil(t, auth.httpClient)
+	})
+
+	t.Run("OIDCStatesCache", func(t *testing.T) {
+		cfg := mockConfig(TypeOIDC, t)
+		logger := hclog.NewNullLogger()
+		auth, err := New(cfg, logger)
+		assert.NoError(t, err)
+		assert.NotNil(t, auth.oidcStates)
+		auth.oidcStates.Set("state", "value", cache.DefaultExpiration)
+		val, found := auth.oidcStates.Get("state")
+		assert.True(t, found)
+		assert.Equal(t, "value", val)
+	})
+}
+
+func TestAuthenticator_OIDCFlow_Failure(t *testing.T) {
+	t.Run("InvalidCACert", func(t *testing.T) {
+		cfg := mockConfig(TypeOIDC, t)
+		cfg.OIDCDiscoveryCACert = "invalid cert data"
+
+		logger := hclog.NewNullLogger()
+		_, err := New(cfg, logger)
+
+		assert.Error(t, err)
+		requireErrorContains(t, err, "could not parse CA PEM value successfully")
+	})
+
+	t.Run("ProviderConfig_error", func(t *testing.T) {
+		cfg := mockConfig(TypeOIDC, t)
+		cfg.OIDCDiscoveryURL = "::invalid-url::"
+
+		logger := hclog.NewNullLogger()
+		_, err := New(cfg, logger)
+
+		assert.Error(t, err)
+		requireErrorContains(t, err, "error checking OIDCDiscoveryURL")
+	})
+}