Skip to content

Add private key jwt auth #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
julien-nc wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

Add private key jwt auth #1241

julien-nc wants to merge 23 commits into from

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Oct 28, 2025
edited
Loading

Implement the "Private key JWT client authentication" flow.

https://auth0.com/docs/fr-ca/authenticate/enterprise-connections/private-key-jwt-client-auth
https://www.keycloak.org/securing-apps/authz-client#_client_authentication_with_signed_jwt
https://docs.developer.singpass.gov.sg/docs

  • Generate key pair for signature
  • Implement refresh mechanism for signature key
  • Implement the client assertion JWT generation to be passed to the IdP on login
  • Generate key pair for encryption (for the provider to potentially generate a JWE returned by the token_endpoint)
  • Implement refresh mechanism for encryption key with key rotation
  • Adjust the code endpoint to detect if we got a JWE or a JWT from the token endpoint, act accordingly
  • Add doc to README
  • New provider-specific setting to toggle this new authentication method
  • Add hints in the settings UI
  • Make it possible to force-enable PCKE even when no code_challenge_methods_supported is found in the discovery endpoint's payload
  • Add a regexp mechanism to extract user IDs from a token attribute

@julien-nc julien-nc self-assigned this Oct 28, 2025
@julien-nc julien-nc added enhancement New feature or request feature request labels Oct 28, 2025
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 4 times, most recently from 56cc2a7 to 352567d Compare November 4, 2025 16:20
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 4 times, most recently from 8dc4e0e to 6d08fc0 Compare November 13, 2025 13:46
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 6 times, most recently from 8369165 to 4dd4ac7 Compare November 20, 2025 09:51
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 4 times, most recently from 465d587 to 5e9e3c5 Compare December 1, 2025 11:42
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 3 times, most recently from 343a387 to a7f1707 Compare December 22, 2025 14:50
@julien-nc
implement private jwt login flow by passing the client assertion to t…
034a5c1 
…he token endpoint

Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
adjust README and settings UI
f640964 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
increase key lifetime to one hour, add comments on when/why we refresh
479d6d3 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
implement small signature key tests
dd3301e 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
implement small encryption key tests
06e371b 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
implement JWE encryption + decryption with algos working with singpass
1249d2c 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
implement JWE tests
ee5c75d 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
polish
74a90d1 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
tests
4ea90ff 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
last part: detect if a JWT is in a JWE on login
4f54ad8 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
make it possible to force-enable PKCE
f48d9c5 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
add error description in 403 template, use it in code controller method
27945a4 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
add regexp mechanism to parse user IDs from tokens
69ba0b0 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
make debug endpoints private
3b0b9c6 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
handle errors when parsing JWT header at the end of the code flow
79f71aa 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc
include leading and trailing / in the userId regexp
22debe1 
Signed-off-by: Julien Veyssier <[email protected]>
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 2 times, most recently from 28e4a78 to 61abd9a Compare December 25, 2025 12:18
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch from 61abd9a to 8131815 Compare December 25, 2025 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr Awaiting requested review from juliusknorr juliusknorr will be requested when the pull request is marked ready for review juliusknorr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@julien-nc julien-nc

Labels

enhancement New feature or request feature request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julien-nc