PKCE and Adding private key JWT support for OIDC

.changelog/22732.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable
+```

api/acl.go

@@ -483,12 +483,14 @@ type OIDCAuthMethodConfig struct {
 	OIDCDiscoveryURL    string            `json:",omitempty"`
 	OIDCDiscoveryCACert string            `json:",omitempty"`
 	// just for type=oidc
-	OIDCClientID        string   `json:",omitempty"`
-	OIDCClientSecret    string   `json:",omitempty"`
-	OIDCScopes          []string `json:",omitempty"`
-	OIDCACRValues       []string `json:",omitempty"`
-	AllowedRedirectURIs []string `json:",omitempty"`
-	VerboseOIDCLogging  bool     `json:",omitempty"`
+	OIDCClientID        string               `json:",omitempty"`
+	OIDCClientSecret    string               `json:",omitempty"`
+	OIDCClientAssertion *OIDCClientAssertion `json:",omitempty"`
+	OIDCClientUsePKCE   *bool                `json:",omitempty"`
+	OIDCScopes          []string             `json:",omitempty"`
+	OIDCACRValues       []string             `json:",omitempty"`
+	AllowedRedirectURIs []string             `json:",omitempty"`
+	VerboseOIDCLogging  bool                 `json:",omitempty"`
 	// just for type=jwt
 	JWKSURL              string        `json:",omitempty"`
 	JWKSCACert           string        `json:",omitempty"`
@@ -513,6 +515,8 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
 		// just for type=oidc
 		"OIDCClientID":        c.OIDCClientID,
 		"OIDCClientSecret":    c.OIDCClientSecret,
+		"OIDCClientAssertion": c.OIDCClientAssertion,
+		"OIDCClientUsePKCE":   c.OIDCClientUsePKCE,
 		"OIDCScopes":          c.OIDCScopes,
 		"OIDCACRValues":       c.OIDCACRValues,
 		"AllowedRedirectURIs": c.AllowedRedirectURIs,
@@ -528,6 +532,16 @@ func (c *OIDCAuthMethodConfig) RenderToConfig() map[string]interface{} {
 	}
 }
 
+type OIDCClientAssertion struct {
+	Audience     []string
+	PrivateKey   *OIDCClientAssertionKey
+	KeyAlgorithm string
+}
+
+type OIDCClientAssertionKey struct {
+	PemKey string
+}
+
 type ACLLoginParams struct {
 	AuthMethod  string
 	BearerToken string

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/armon/go-metrics v0.4.1
 	github.com/armon/go-radix v1.0.0
 	github.com/aws/aws-sdk-go v1.55.7
-	github.com/coreos/go-oidc/v3 v3.9.0
+	github.com/coreos/go-oidc/v3 v3.11.0
 	github.com/deckarep/golang-set/v2 v2.3.1
 	github.com/docker/go-connections v0.4.0
 	github.com/envoyproxy/go-control-plane v0.13.4
@@ -37,12 +37,14 @@ require (
 	github.com/go-openapi/runtime v0.26.2
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-viper/mapstructure/v2 v2.4.0
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gofuzz v1.2.0
 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
 	github.com/google/tcpproxy v0.0.0-20180808230851-dfa16c61dad2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75
+	github.com/hashicorp/cap v0.10.0
 	github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a
 	github.com/hashicorp/consul-net-rpc v0.0.0-20221205195236-156cfab66a69
 	github.com/hashicorp/consul/api v1.31.2
@@ -191,6 +193,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect

go.sum

@@ -197,8 +197,8 @@ github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc
 github.com/coreos/etcd v3.3.27+incompatible h1:QIudLb9KeBsE5zyYxd1mjzRSkzLg9Wf9QlRwFgd6oTA=
 github.com/coreos/etcd v3.3.27+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo=
-github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
@@ -279,6 +279,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
 github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
+github.com/go-jose/go-jose/v4 v4.1.1/go.mod h1:BdsZGqgdO3b6tTc6LSE56wcDbMMLuPsw5d4ZD5f94kA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -331,6 +333,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
 github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
@@ -445,6 +449,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rH
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
 github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75 h1:V5Uqf7VoWMd6UhNf/5EMA8LMPUm95GYvk2YF5SzT24o=
 github.com/hashi-derek/grpc-proxy v0.0.0-20231207191910-191266484d75/go.mod h1:5eEnHfK72jOkp4gC1dI/Q/E9MFNOM/ewE/vql5ijV3g=
+github.com/hashicorp/cap v0.10.0 h1:OJM3JQTwVO1DigRIPNTxM387oqXlokKhttZHotU0b1s=
+github.com/hashicorp/cap v0.10.0/go.mod h1:HKbv27kfps+wONFNyNTHpAQmU/DCjjDuB5HF6mFsqPQ=
 github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a h1:Qd0N8lIr1QP/d7FYxseYjRLUtJp2+2R8k+mjiC2rmiY=
 github.com/hashicorp/consul-awsauth v0.0.0-20250825122907-9e35fe9ded3a/go.mod h1:++exZ1sI8JLIv4QvzGvTjZdf1eZARoZcaNEjNT9SZYA=
 github.com/hashicorp/consul-net-rpc v0.0.0-20221205195236-156cfab66a69 h1:wzWurXrxfSyG1PHskIZlfuXlTSCj1Tsyatp9DtaasuY=

internal/go-sso/oidcauth/auth.go

@@ -17,6 +17,7 @@ import (
 	"sync"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	capOidc "github.com/hashicorp/cap/oidc"
 	"github.com/hashicorp/go-hclog"
 	"github.com/patrickmn/go-cache"
 )
@@ -41,8 +42,14 @@ type Authenticator struct {
 
 	// parsedJWTPubKeys is the parsed form of config.JWTValidationPubKeys
 	parsedJWTPubKeys []interface{}
-	provider         *oidc.Provider
-	keySet           oidc.KeySet
+
+	// provider is the coreos/go-oidc provider used for JWT validation
+	provider *oidc.Provider
+
+	// capProvider is the HashiCorp CAP library provider used for OIDC flows
+	// with support for private key JWT client authentication
+	capProvider *capOidc.Provider
+	keySet      oidc.KeySet
 
 	// httpClient should be configured with all relevant root CA certs and be
 	// reused for all OIDC or JWKS operations. This will be nil for the static
@@ -86,13 +93,42 @@ func New(c *Config, logger hclog.Logger) (*Authenticator, error) {
 	}
 	a.backgroundCtx, a.backgroundCtxCancel = context.WithCancel(context.Background())
 
+	var err error
 	if c.Type == TypeOIDC {
 		a.oidcStates = cache.New(oidcStateTimeout, oidcStateCleanupInterval)
 	}
 
-	var err error
 	switch c.authType() {
-	case authOIDCDiscovery, authOIDCFlow:
+	case authOIDCFlow:
+		var supported []capOidc.Alg
+		if len(a.config.JWTSupportedAlgs) == 0 {
+			// Default to RS256 if nothing is specified.
+			supported = []capOidc.Alg{capOidc.RS256}
+		} else {
+			for _, alg := range a.config.JWTSupportedAlgs {
+				supported = append(supported, capOidc.Alg(alg))
+			}
+		}
+		// Use CAP's OIDC provider to leverage its built-in support for
+		providerConfig, err := capOidc.NewConfig(
+			a.config.OIDCDiscoveryURL,
+			a.config.OIDCClientID,
+			capOidc.ClientSecret(a.config.OIDCClientSecret),
+			supported,
+			a.config.AllowedRedirectURIs,
+			capOidc.WithAudiences(a.config.BoundAudiences...),
+			capOidc.WithProviderCA(a.config.OIDCDiscoveryCACert),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("error creating provider config: %v", err)
+		}
+
+		provider, error := capOidc.NewProvider(providerConfig)
+		if error != nil {
+			return nil, fmt.Errorf("error creating provider: %v", error)
+		}
+		a.capProvider = provider
+	case authOIDCDiscovery:
 		a.httpClient, err = createHTTPClient(a.config.OIDCDiscoveryCACert)
 		if err != nil {
 			return nil, fmt.Errorf("error parsing OIDCDiscoveryCACert: %v", err)

internal/go-sso/oidcauth/config.go

@@ -87,6 +87,13 @@ type Config struct {
 	// Valid only if Type=oidc
 	OIDCClientSecret string
 
+	// Optionally send a signed JWT ("private key jwt") as a client assertion
+	// for client authentication. This enables enhanced
+	// security by using asymmetric cryptography instead of shared secrets.
+	OIDCClientAssertion *OIDCClientAssertion
+	// Disable S256 PKCE challenge verification
+	OIDCClientUsePKCE *bool
+
 	// Comma-separated list of OIDC scopes
 	//
 	// Valid only if Type=oidc
@@ -166,6 +173,30 @@ type Config struct {
 	ClockSkewLeeway time.Duration
 }
 
+// OIDCClientAssertion configures private key JWT client authentication
+// for enhanced security in OIDC flows. This allowing clients to authenticate
+// using signed JWTs instead of shared secrets.
+// See also: structs.OIDCClientAssertion
+type OIDCClientAssertion struct {
+	// Audience is/are who will be processing the assertion.
+	// Typically set to the OIDC provider's token endpoint URL.
+	// Defaults to the parent ACLAuthMethodConfig's OIDCDiscoveryURL
+	Audience []string
+
+	// PrivateKey contains external key material provided by users.
+	// KeySource must be "private_key" to enable this.
+	PrivateKey *OIDCClientAssertionKey
+
+	KeyAlgorithm string
+}
+
+// OIDCClientAssertionKey holds the private key used for signing client assertions
+type OIDCClientAssertionKey struct {
+	// PemKey is the private key, in pem format. It is used to sign the JWT.
+	// Mutually exclusive with PemKeyFile.
+	PemKey string
+}
+
 // Validate returns an error if the config is not valid.
 func (c *Config) Validate() error {
 	validateCtx, validateCtxCancel := context.WithCancel(context.Background())
@@ -179,8 +210,10 @@ func (c *Config) Validate() error {
 			return fmt.Errorf("'OIDCDiscoveryURL' must be set for type %q", c.Type)
 		case c.OIDCClientID == "":
 			return fmt.Errorf("'OIDCClientID' must be set for type %q", c.Type)
-		case c.OIDCClientSecret == "":
-			return fmt.Errorf("'OIDCClientSecret' must be set for type %q", c.Type)
+		case c.OIDCClientSecret == "" && c.OIDCClientAssertion == nil:
+			return fmt.Errorf("'OIDCClientSecret' or 'OIDCClientAssertion' must be set for type %q", c.Type)
+		case c.OIDCClientAssertion != nil && c.OIDCClientAssertion.PrivateKey == nil:
+			return fmt.Errorf("'OIDCClientAssertion.PrivateKey' must be set when 'OIDCClientAssertion' is set for type %q", c.Type)
 		case len(c.AllowedRedirectURIs) == 0:
 			return fmt.Errorf("'AllowedRedirectURIs' must be set for type %q", c.Type)
 		}
@@ -189,6 +222,8 @@ func (c *Config) Validate() error {
 		switch {
 		case c.JWKSURL != "":
 			return fmt.Errorf("'JWKSURL' must not be set for type %q", c.Type)
+		case c.OIDCClientSecret != "" && c.OIDCClientAssertion != nil:
+			return fmt.Errorf("only one of 'OIDCClientSecret' or 'OIDCClientAssertion' can be set for type %q", c.Type)
 		case c.JWKSCACert != "":
 			return fmt.Errorf("'JWKSCACert' must not be set for type %q", c.Type)
 		case len(c.JWTValidationPubKeys) != 0:
@@ -213,13 +248,23 @@ func (c *Config) Validate() error {
 			return fmt.Errorf("Invalid AllowedRedirectURIs provided: %v", bad)
 		}
 
+		if c.OIDCClientAssertion != nil {
+			// Validate KeyAlgorithm if set
+			if c.OIDCClientAssertion.KeyAlgorithm != "" &&
+				c.OIDCClientAssertion.KeyAlgorithm != "RS256" {
+				return fmt.Errorf("'OIDCClientAssertion.KeyAlgorithm' must be 'RS256' currently")
+			}
+		}
+
 	case TypeJWT:
 		// not allowed
 		switch {
 		case c.OIDCClientID != "":
 			return fmt.Errorf("'OIDCClientID' must not be set for type %q", c.Type)
 		case c.OIDCClientSecret != "":
 			return fmt.Errorf("'OIDCClientSecret' must not be set for type %q", c.Type)
+		case c.OIDCClientAssertion != nil:
+			return fmt.Errorf("'OIDCClientAssertion' must not be set for type %q", c.Type)
 		case len(c.OIDCScopes) != 0:
 			return fmt.Errorf("'OIDCScopes' must not be set for type %q", c.Type)
 		case len(c.OIDCACRValues) != 0:
@@ -347,11 +392,13 @@ func (c *Config) authType() int {
 	case c.OIDCDiscoveryURL != "":
 		if c.OIDCClientID != "" && c.OIDCClientSecret != "" {
 			return authOIDCFlow
+		} else if c.OIDCClientID != "" && c.OIDCClientAssertion != nil {
+			return authOIDCFlow
 		}
 		return authOIDCDiscovery
 	default:
 		return authUnconfigured
 	}
 }
 
-const testJWT = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.Hf3E3iCHzqC5QIQ0nCqS1kw78IiQTRVzsLTuKoDIpdk"
+const testJWT = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.e30.Hf3E3iCHzqC5QIQ0nCqS1kw78IiQTRVzsLTuKoDIpdk"

internal/go-sso/oidcauth/config_test.go

@@ -56,7 +56,20 @@ func TestConfigValidate(t *testing.T) {
 			},
 			expectErr: "must be set for type",
 		},
-		"missing required OIDCClientSecret": {
+		"missing required OIDCClientAssertion.PrivateKey": {
+			config: Config{
+				Type:                TypeOIDC,
+				OIDCDiscoveryURL:    srv.Addr(),
+				OIDCDiscoveryCACert: srv.CACert(),
+				OIDCClientID:        "abc",
+				OIDCClientAssertion: &OIDCClientAssertion{
+					Audience: []string{srv.Addr()},
+				},
+				AllowedRedirectURIs: []string{"http://foo.test"},
+			},
+			expectErr: "OIDCClientAssertion.PrivateKey' must be set when 'OIDCClientAssertion' is set for type",
+		},
+		"missing required OIDCClientSecret or OIDCClientAssertion": {
 			config: Config{
 				Type:                TypeOIDC,
 				OIDCDiscoveryURL:    srv.Addr(),
@@ -65,7 +78,7 @@ func TestConfigValidate(t *testing.T) {
 				// OIDCClientSecret:    "def",
 				AllowedRedirectURIs: []string{"http://foo.test"},
 			},
-			expectErr: "must be set for type",
+			expectErr: "OIDCClientSecret' or 'OIDCClientAssertion' must be set for type",
 		},
 		"missing required AllowedRedirectURIs": {
 			config: Config{
@@ -78,6 +91,36 @@ func TestConfigValidate(t *testing.T) {
 			},
 			expectErr: "must be set for type",
 		},
+		"incompatible with OIDCClientSecret and OIDCClientAssertion": {
+			config: Config{
+				Type:                TypeOIDC,
+				OIDCDiscoveryURL:    srv.Addr(),
+				OIDCDiscoveryCACert: srv.CACert(),
+				OIDCClientID:        "abc",
+				OIDCClientSecret:    "def",
+				OIDCClientAssertion: &OIDCClientAssertion{
+					PrivateKey: &OIDCClientAssertionKey{PemKey: testRSAPrivateKey},
+					Audience:   []string{srv.Addr()},
+				},
+				AllowedRedirectURIs: []string{"http://foo.test"},
+			},
+			expectErr: "only one of 'OIDCClientSecret' or 'OIDCClientAssertion",
+		},
+		"incompatible key algorithm": {
+			config: Config{
+				Type:                TypeOIDC,
+				OIDCDiscoveryURL:    srv.Addr(),
+				OIDCDiscoveryCACert: srv.CACert(),
+				OIDCClientID:        "abc",
+				OIDCClientAssertion: &OIDCClientAssertion{
+					PrivateKey:   &OIDCClientAssertionKey{PemKey: testRSAPrivateKey},
+					Audience:     []string{srv.Addr()},
+					KeyAlgorithm: "foo",
+				},
+				AllowedRedirectURIs: []string{"http://foo.test"},
+			},
+			expectErr: "OIDCClientAssertion.KeyAlgorithm' must be 'RS256' currently",
+		},
 		"incompatible with JWKSURL": {
 			config: Config{
 				Type:                TypeOIDC,
@@ -366,6 +409,16 @@ func TestConfigValidate(t *testing.T) {
 			},
 			expectErr: "must not be set for type",
 		},
+		"incompatible with OIDCClientAssertion": {
+			config: Config{
+				Type:                 TypeJWT,
+				JWTValidationPubKeys: []string{testJWTPubKey},
+				OIDCClientAssertion: &OIDCClientAssertion{
+					Audience: []string{srv.Addr()},
+				},
+			},
+			expectErr: "must not be set for type",
+		},
 		"incompatible with OIDCScopes": {
 			config: Config{
 				Type:                 TypeJWT,