Implementing "client_assertion"

[naizerjohn-ms]

Hello!

Currently this package does not support client_assertion/client_assertion_type OAuth2.0 client authentication outlined here in the OpenID Connect documentation (not up to standard). Here is an example outlined in this documentation, for a visual on what the request would look like:

  Host: server.example.com
  Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code&
    code=i1WsRn1uB1&
    client_id=s6BhdRkqt3&
    client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
    client_assertion=PHNhbWxwOl ... ZT

as opposed to what this package only currently supports (client_secret):

  Host: server.example.com
  Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code&
    code=i1WsRn1uB1&
    client_id=s6BhdRkqt3&
    client_secret=PHNhbWxwOl ... ZT

I am willing to work towards this implementation and am asking for any support/guidance for achieving this solution. Many tech companies (including ours) are migrating away from using secrets and towards more secure authentication systems. Please see this article which provides a deeper description on what client_assertions are as well.

[zetaab]

we are interested of this feature as well.

[naizerjohn-ms]

Hi @zetaab! I see that you have made some contributions to client_assertion is the client credentials flow! However, this feature also needs to be added into the 'oauth2/internal' directory for the auth code grant flow. The auth code grant flow retrieves both an access token and an id token, the ideal grant flow for SSO (user + app). See this link for more info on this grant flow.

[zetaab]

@naizerjohn-ms that can be done already?

Example (disclaimer: I did not test this but afaik when reading code it should be possible)

	conf := &oauth2.Config{
		ClientID:     authConf.ClientID,
		Endpoint:     provider.Endpoint(),
		Scopes:       scopes,
		RedirectURL:  authConf.RedirectURI,
		AuthStyle:    oauth2.AuthStyleInParams,
	}
	oauthCtx := oidc.ClientContext(context.Background(), &http.Client{})
	otoken, err := conf.Exchange(
		oauthCtx,
		content.Code,
		oauth2.SetAuthURLParam("client_assertion", "foo"),
		oauth2.SetAuthURLParam("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),
	)
	...

[naizerjohn-ms]

@zetaab Great point, let me implement this and test... looks like it should work? I'm looking at oauth2/internal/token.go at function 'newTokenRequest', and it seems it only adds the client_secret to the body of the request if it is not null/empty

[zetaab]

@naizerjohn-ms yep it adds it only if its defined, but you can define extra parameters with oauth2.SetAuthURLParam before that. Please test it if you have use-case :)

[francisconunesnavarro]

we are also interested in this feature as well, waiting for the PR to be approve

[naizerjohn-ms]

@zetaab This has been tested and verified. Will close issue now!

[naizerjohn-ms]

Hello @zetaab! I am reopening this issue, but I may just create a new one for specificity. Your recommendation above as stated has been verified to work which is great! There is one issue though... the token refresh does not work when using the method above by setting the authURLparams. This is because when this package does a token refresh it calls the TokenSource method inside oauth2.go file here:

TokenSource does NOT support passing in additional authURLparams like the Exchange method does. Any help to get this support implemented would be much appreciated! Or if I missed something, please show me!

[zetaab]

@naizerjohn-ms yeah well might be.. but the main issue is that none is reviewing. I have no idea how to get reviews

[naizerjohn-ms]

Adding @rakyll @adg @bradfitz seeing that you all have made contributions recently!