client_secret_jwt support at token endpoint

[g7ed6e]

Which version of Duende IdentityServer are you using?

6.2.*

Describe the bug

N/A

Additional context

The client authentication mechanism client_secret_jwt is not supported. please see OpenIdConnect Core - Client Authentication.

The JwtBearerClientAssertionSecretParser already support the parsing of the client assertion but it looks like it assumes that the authentication method can only be private_key_jwt. There is no ISecretValidator that support client_secret_jwt authentication method.

A workaround is to register a custom ISecretValidator and register it in DI but the discovery document is not impacted.

[josephdecock]

Hi, thanks for getting in touch. We'll consider this feature request for a future release. In the meantime, your workaround seems like a reasonable approach. The discovery document's token_endpoint_auth_methods_supported property is built by the ISecretsListParser.GetAvailableAuthenticationMethods method, which by default builds the list based on the registered ISecretParsers, as well as looking at mTLS settings. You could customize that method to change the discovery document. Another option to explore is to possibly implement the ISecretParser for client_secret_jwt, but it's not immediately obvious to me how you would distinguish client secret jwts vs private key jwts. Probably the simplest thing is to just customzie GetAvailableAuthenticationMethods.