oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon zitadel

`private_key_jwt` use in `client_credentials` flow

Open zekth opened this issue 1 month ago • 0 comments

Hello,

trying to implement private_key_jwt auth method and i faced an issue during the client_credentials flow where it seems that the client_assertion is not verified.

The method AuthorizePrivateJWTKey is used in:

  • AuthorizeCodeClient: https://github.com/zitadel/oidc/blob/6373a0e5bd9a2109a945aae1af04ce932edbf05e/pkg/op/token_code.go#L93
  • AuthorizeRefreshClient: https://github.com/zitadel/oidc/blob/6373a0e5bd9a2109a945aae1af04ce932edbf05e/pkg/op/token_refresh.go#L107

But it doesn't seem to be called in the client_credentials flow. Am i doing something wrong? If so could the team guide to what needs to be implemented to verify the assertion? I couldn't find anything in the documentation.

zekth avatar Nov 12 '25 09:11 zekth