proposal: x/oauth2: add support for client_assertion

[michaeldcanady]

Proposal Details

Currently this package does not support client_assertion/client_assertion_type OAuth2.0 client authentication outlined here in the OpenID Connect documentation (not up to standard). Here is an example outlined in this documentation, for a visual on what the request would look like:

  Host: server.example.com
  Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code&
    code=i1WsRn1uB1&
    client_id=s6BhdRkqt3&
    client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
    client_assertion=PHNhbWxwOl ... ZT

(Pulled from https://github.com/golang/oauth2/issues/744)

[gabyhelp]

Related Issues

• proposal: x/oauth2: support private_key_jwt client authentication #57186

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

What does support look like for x/oauth2? What do we need to add or change in terms of API and documentation?

[michaeldcanady]

Thank you for replying so quickly! I think mainly it would be adding a new method to the oauth.Config type. I'll be honest I haven't looked too deeply into in there would be greater changes. The issue I linked in the initial description details a workaround and some feedback from others! Let me know if there is any other information you need/want!

Example of new API method

func (c *Config) ClientAssertion(ctx context.Context,  jwt string) (*Token, error) {
	v := url.Values{
		"client_assertion": {jwt},
		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
	}
       // validate jwt has the required claim values: iss, sub, aud, jti, exp, (optional) iat
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	return retrieveToken(ctx, c, v)
}

[taleena]

Hey there Golang team! I'm a TPM for Grafana, and we've had reports of this one coming up as you can see here - looks like @Richard87 has been keeping a good eye on this, thank you! Let us know how we might help here - I suspect that with the multiple related issues this has likely come up in a number of other circumstances but may not always get logged back to this. Please let me know! ☀️

[michaeldcanady]

Hey all! I Found a JWT package within the oauth repo here! I haven't tried it but I think this could meet our needs??

[Richard87]

Hey all! I Found a JWT package within the oauth repo here! I haven't tried it but I think this could meet our needs??

Both yes and no, the client authenticates itself by creating and signing a jwt based on a provided key (RFC7521). The IDP then matches the newly created jwt against a certificate that is uploaded earlier.

But in a workload identity scenario, the jwt is already created by the platform (kubernetes in our case). on the IDP we tell it to trust the other OIDC Issuer and its jwt tokens with matching subjects.

This way the application doesnt need any private keys or secrets (except for the shortlived jwt), and the Application owner can tell its resource owner, that it can trust this other issuers jwt's. This significantly reduces the risk of stolen credentials (there are no credentials), and even if someone manages to steal a jwt, its valid for only 60minutes.

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-certificate-credential