Skip to content

PKCE and Adding private key JWT support for OIDC #22732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Sep 17, 2025
Merged

PKCE and Adding private key JWT support for OIDC #22732

merged 20 commits into from
Sep 17, 2025

Conversation

@panman90
Copy link
Contributor

@panman90 panman90 commented Sep 9, 2025
edited
Loading

Description

Adding support for private key(client assertion) and PKCE for OIDC

Testing & Reproduction steps

Tested with Keyclock and Auth0 with private key JWT instead of client secret

Links

https://auth0.com/docs/authenticate/enterprise-connections/private-key-jwt-client-auth

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@github-actions github-actions bot added theme/api Relating to the HTTP API interface theme/ui Anything related to the UI pr/dependencies PR specifically updates dependencies of project labels Sep 9, 2025
@panman90 panman90 marked this pull request as ready for review September 10, 2025 05:41
@panman90 panman90 requested a review from a team as a code owner September 10, 2025 05:41
@panman90 panman90 added the type/enhancement Proposed improvement or new feature label Sep 10, 2025
@panman90 panman90 self-assigned this Sep 10, 2025
@panman90 panman90 changed the title Adding private key JWT support for OIDC PKCE and Adding private key JWT support for OIDC Sep 10, 2025
suresh-hashicorp
suresh-hashicorp previously approved these changes Sep 10, 2025
View reviewed changes
Copy link
Collaborator

@suresh-hashicorp suresh-hashicorp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UI changes are good.

sreeram77
sreeram77 requested changes Sep 11, 2025
View reviewed changes
.changelog/22732.txt Outdated
@@ -0,0 +1,3 @@
```release-note:feature
oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable
auth: add client authentication using JWT assertion and PKCE. default PKCE is disabled.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated message, mentioning OIDC as it only cover that auth flow

internal/go-sso/oidcauth/jwt.go Outdated
}

func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (map[string]interface{}, error) {
allClaims := make(map[string]interface{})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace interface{} with any

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

taken care

internal/go-sso/oidcauth/oidc.go Outdated
"time"

"github.com/coreos/go-oidc/v3/oidc"
// HashiCorp CAP (Cloud Authentication Primitives) library for OIDC flows
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is unnecessary

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed

dduzgun-security
dduzgun-security requested changes Sep 12, 2025
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for working on this.
Here are a few security points which could be reviewed:

  • Can we have the PKCE check enabled explicitly by default?
  • Can we add the kid header to identify which key was used to sign the JWT?
  • If the kid not set, can we include the same x5t header logic as Nomad (ref)? By defaulting the checksum to x5t#S256
  • Can we default to Elliptic Curve instead of RS256? It's more performant. We can also include RS256 in the list of allowed algs
  • Can we add some unit tests for the alg portion please? There are also various tests we can include which were captured in Nomads implementation (ref)

@panman90
Copy link
Contributor Author

@dduzgun-security - Thanks for your feedback

  • Will make necessary change to enable PKCE by default.
  • Regarding kid and EC algorithm, we have kept it out of scope for this release.

@dduzgun-security
Copy link
Collaborator

dduzgun-security commented Sep 15, 2025
edited
Loading

@mansi991999 thanks for the reply and looking at it. I forgot to mention on the initial comment but could we also include some unit tests for jwt.go and auth.go?

I've added a comment in the internal RFC to understand more why the kid was moved to out of scope.

mrgupta7
mrgupta7 previously approved these changes Sep 16, 2025
View reviewed changes
sreeram77
sreeram77 requested changes Sep 16, 2025
View reviewed changes
internal/go-sso/oidcauth/auth.go Outdated
return nil, fmt.Errorf("error creating provider config: %v", err)
}

provider, error := capOidc.NewProvider(providerConfig)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't use 'error' for an error since this is a built in keyword. You can reuse err.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

taken care

internal/go-sso/oidcauth/jwt.go Outdated
return nil, errors.New("data does not contain any valid RSA, ECDSA, or ED25519 public keys")
}

func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (map[string]interface{}, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace interface{} with any.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

taken care

internal/go-sso/oidcauth/oidc.go

"github.com/coreos/go-oidc/v3/oidc"
"github.com/hashicorp/cap/oidc"
cass "github.com/hashicorp/cap/oidc/clientassertion"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this alias required?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to make references more concise

internal/go-sso/oidcauth/oidc.go Outdated
authURL, err := provider.AuthURL(ctx, request)
if err != nil {
return "", fmt.Errorf("error generating OAuth state: %v", err)
return "", fmt.Errorf("Error while generating AuthURL %q", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error string should start with a lower case

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taken care

@panman90
Copy link
Contributor Author

panman90 commented Sep 16, 2025
edited
Loading

@dduzgun-security
Added comment on RFC.
Regarding JWT, tests are already there. Added for Auth

@panman90 panman90 requested a review from sreeram77 September 16, 2025 11:23
@panman90 panman90 enabled auto-merge (squash) September 17, 2025 09:34
@panman90 panman90 merged commit 5c4ec6c into main Sep 17, 2025
282 of 290 checks passed
sanikachavan5 pushed a commit that referenced this pull request Sep 23, 2025
@panman90 @sanikachavan5
PKCE and Adding private key JWT support for OIDC (#22732)
fe6149f 
* Adding private key JWT support for OIDC
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sreeram77 sreeram77 sreeram77 approved these changes

@dduzgun-security dduzgun-security dduzgun-security approved these changes

@mrgupta7 mrgupta7 mrgupta7 left review comments

@suresh-hashicorp suresh-hashicorp suresh-hashicorp left review comments

Assignees

@panman90 panman90

Labels

pr/dependencies PR specifically updates dependencies of project pr/no-backport theme/api Relating to the HTTP API interface theme/ui Anything related to the UI type/enhancement Proposed improvement or new feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@panman90 @dduzgun-security @sreeram77 @mrgupta7 @suresh-hashicorp