Open naizerjohn-ms opened 1 week ago
we are interested of this feature as well.
Hi @zetaab! I see that you have made some contributions to client_assertion is the client credentials flow! However, this feature also needs to be added into the 'oauth2/internal' directory for the auth code grant flow. The auth code grant flow retrieves both an access token and an id token, the ideal grant flow for SSO (user + app). See this link for more info on this grant flow.
@naizerjohn-ms that can be done already?
Example (disclaimer: I did not test this but afaik when reading code it should be possible)
conf := &oauth2.Config{
ClientID: authConf.ClientID,
Endpoint: provider.Endpoint(),
Scopes: scopes,
RedirectURL: authConf.RedirectURI,
AuthStyle: oauth2.AuthStyleInParams,
}
oauthCtx := oidc.ClientContext(context.Background(), &http.Client{})
otoken, err := conf.Exchange(
oauthCtx,
content.Code,
oauth2.SetAuthURLParam("client_assertion", "foo"),
oauth2.SetAuthURLParam("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),
)
...
@zetaab Great point, let me implement this and test... looks like it should work? I'm looking at oauth2/internal/token.go at function 'newTokenRequest', and it seems it only adds the client_secret to the body of the request if it is not null/empty
@naizerjohn-ms yep it adds it only if its defined, but you can define extra parameters with oauth2.SetAuthURLParam before that. Please test it if you have use-case :)
Hello!
Currently this package does not support client_assertion/client_assertion_type OAuth2.0 client authentication outlined here in the OpenID Connect documentation (not up to standard). Here is an example outlined in this documentation, for a visual on what the request would look like:
as opposed to what this package only currently supports (client_secret):
I am willing to work towards this implementation and am asking for any support/guidance for achieving this solution. Many tech companies (including ours) are migrating away from using secrets and towards more secure authentication systems. Please see this article which provides a deeper description on what client_assertions are as well.