Implement JWT Bearer grant

[ericleib]

This is a work-in-progress to implement the JWT Bearer grant type (which is needed in server-to-server setups, for example with Google APIs).

See: https://developers.google.com/identity/protocols/oauth2/service-account#httprest

This implementation adds the jsonwebtoken package as a dependency, which is probably not okay... Maybe the JWT could be generated outside of the library?

[evert]

I really appreciate this contribution, but... I'm running into the same issue with this as I have with folks asking for OpenID Connect related features.

There's no reasonable way to add this without being in conflict with some of the stated goals of this project, being:

• Low overhead / small size
• No dependencies

It's hard to do given that some JWT dependency has to be pulled in. I really wish browsers had some JWT thing built in, this would make this a lot easier.

So really the question then is: do I change the goals of the project, do OpenID Connect, add JWT? I don't think I'm ready to really decide this. Maybe next year? (got a baby on the way, seems to big right now lol).

So instead maybe this contribution could be it's own package as a sort of add-on? I could link to it if you're willing to maintain it?

On the practical side, the jsonwebtoken package itself is also an issue because the library is intended to work both on the browser and client, so probably jose is the better dependency. I would be curious what a webpack build with jose looks like. I can see myself change my mind if the difference is not huge.

[ericleib]

Hello @evert,

Thank you for the fast reply! No worries at all, I understand and appreciate the goal of keeping the library simple and lightweight.

I simplified my implementation so that it's possible to retrieve an access token using the JWT Bearer grant, but the JWT needs to be generated externally. What do you think ?

[evert]

Hey! Apologies for taking a while with this again.

I spent a bit of time reading:

• https://datatracker.ietf.org/doc/html/rfc7521
• https://datatracker.ietf.org/doc/html/rfc7523

But to be perfectly frank, I'm still a little lost with both. It's a usecase I don't fully understand yet, and I don't have myself.

It's hard for me to integrate a feature I don't have a strong grasp on, because I lack the confidence to build an interface I feel strongly about, nor do I have obvious ways to test this.

Long term, I think I also decided I'm both interested in adopting this, AND finding a lightweight JWT solution and bring in more OIDC features, but all of has to wait till have a window of free time, which I don't see happening for at least 4-5 months, due to some pretty major personal events happening in my life.

So for now I have to put this in the can, until I can bring this feature in with the confidence I need.

I understand this is probably not the result you're hoping for. A good PR is one of the greatest honors for a project, so apologize I can't do more right now.

[ericleib]

Thank you for looking into, and no worries, I was able to work around this for my project.

FYI, I faced the issue while using Google APIs with a service account. When you create a service account in GCP, what you get is a JSON file containing the credentials of this service account. This JSON file contains a private key that is needed to sign a JWT (which you then exchange for an access token, using the token endpoint). Most people do not have this need because they use Google's SDK to use their API, but this is actually what happens under the hood. In my project I need to support connections to any 3rd-party API and not just Google (hence why I do not use their SDK).

More info here: https://developers.google.com/identity/protocols/oauth2/service-account#httprest