Skip to content

Add private key jwt auth #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

Add private key jwt auth #1241

wants to merge 18 commits into from

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented Oct 28, 2025
edited
Loading

Implement the "Private key JWT client authentication" flow.

https://auth0.com/docs/fr-ca/authenticate/enterprise-connections/private-key-jwt-client-auth
https://www.keycloak.org/securing-apps/authz-client#_client_authentication_with_signed_jwt
https://docs.developer.singpass.gov.sg/docs

  • Generate key pair for signature
  • Implement refresh mechanism for signature key
  • Generate key pair for encryption
  • Implement the client assertion JWT generation to be passed to the IdP on login
  • Adjust the code endpoint to detect if we got a JWE or a JWT from the token endpoint, act accordingly
  • Add doc to README
  • New provider-specific setting to toggle this new auth method
  • Add hints in the settings UI

@julien-nc julien-nc self-assigned this Oct 28, 2025
@julien-nc julien-nc added enhancement New feature or request feature request labels Oct 28, 2025
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 4 times, most recently from 56cc2a7 to 352567d Compare November 4, 2025 16:20
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 4 times, most recently from 8dc4e0e to 6d08fc0 Compare November 13, 2025 13:46
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch 6 times, most recently from 8369165 to 4dd4ac7 Compare November 20, 2025 09:51
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch from 5e7fcf1 to 7141cb6 Compare November 24, 2025 15:29
@julien-nc
gen ssl key pair and convert the public key to JWK
31f5adc 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
store pem priv key in appconfig, gen JWK from public ssl key, test cr…
c99b500 
…eating and decoding JWT from our key

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
use EC signature key with P-384 curve
e4f8041 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
generate/store/refresh encryption key
2096906 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
add lint-eslint action
55725ad 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
add new boolean setting to enable private key jwt auth
f0e368e 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
implement private jwt login flow by passing the client assertion to t…
a28d24f 
…he token endpoint

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
adjust README and settings UI
5be99a6 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
increase key lifetime to one hour, add comments on when/why we refresh
3980eee 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
implement small signature key tests
070e02d 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
implement small encryption key tests
56a44a8 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
implement JWE encryption + decryption with algos working with singpass
1c01be3 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
implement JWE tests
98aaa5e 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
polish
c754130 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
tests
e14cbe1 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
last part: detect if a JWT is in a JWE on login
bb38741 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc
make it possible to force-enable PKCE
16d054b 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the enh/noid/private-key-jwt-auth branch from 7141cb6 to 16d054b Compare November 26, 2025 09:31
@julien-nc
add error description in 403 template, use it in code controller method
8bbad60 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr Awaiting requested review from juliusknorr juliusknorr will be requested when the pull request is marked ready for review juliusknorr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@julien-nc julien-nc

Labels

enhancement New feature or request feature request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@julien-nc