feat(oidc): private_key_jwt client auth (#5280)

This adds support for the private_key_jwt client authentication method.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

docs/content/en/configuration/identity-providers/introduction.md

@@ -16,4 +16,4 @@ aliases:
 
 ## OpenID Connect
 
-The only identity provider implementation supported at this time is [OpenID Connect 1.0](open-id-connect.md).
+The only identity provider implementation supported at this time is [OpenID Connect 1.0](openid-connect/provider.md).

docs/content/en/configuration/identity-providers/openid-connect/_index.md

@@ -0,0 +1,15 @@
+---
+title: "OpenID Connect 1.0"
+description: ""
+lead: ""
+date: 2023-05-08T13:38:08+10:00
+lastmod: 2022-01-18T20:07:56+01:00
+draft: false
+images: []
+menu:
+  docs:
+    parent: "identity-providers"
+    identifier: "openid-connect"
+weight: 190120
+toc: true
+---

docs/content/en/configuration/methods/secrets.md

@@ -77,9 +77,9 @@ other configuration using the environment but instead of loading a file the valu
 [authentication_backend.ldap.password]: ../first-factor/ldap.md#password
 [authentication_backend.ldap.tls.certificate_chain]: ../first-factor/ldap.md#tls
 [authentication_backend.ldap.tls.private_key]: ../first-factor/ldap.md#tls
-[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/open-id-connect.md#issuercertificatechain
-[identity_providers.oidc.issuer_private_key]: ../identity-providers/open-id-connect.md#issuerprivatekey
-[identity_providers.oidc.hmac_secret]: ../identity-providers/open-id-connect.md#hmacsecret
+[identity_providers.oidc.issuer_certificate_chain]: ../identity-providers/openid-connect.md#issuercertificatechain
+[identity_providers.oidc.issuer_private_key]: ../identity-providers/openid-connect.md#issuerprivatekey
+[identity_providers.oidc.hmac_secret]: ../identity-providers/openid-connect.md#hmacsecret
 
 
 ## Secrets in configuration file

docs/content/en/configuration/miscellaneous/privacy-policy.md

@@ -44,7 +44,7 @@ accepted is recorded and checked in the browser
 If the user has not accepted the policy they should not be able to interact with the Authelia UI via normal means.
 
 Administrators who are required to abide by the [GDPR] or other privacy laws should be advised that
-[OpenID Connect 1.0](../identity-providers/open-id-connect.md) clients configured with the `implicit` consent mode are
+[OpenID Connect 1.0](../identity-providers/openid-connect.md) clients configured with the `implicit` consent mode are
 unlikely to trigger the display of the Authelia UI if the user is already authenticated.
 
 We wont be adding checks like this to the `implicit` consent mode when that mode in particular is unlikely to be

docs/content/en/integration/openid-connect/apache-guacamole/index.md

@@ -53,7 +53,7 @@ openid-groups-claim-type: groups
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with
 [Apache Guacamole] which will operate with the above example:
 
 ```yaml
@@ -78,7 +78,7 @@ identity_providers:
         - 'id_token'
       grant_types:
         - 'implicit'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/argocd/index.md

@@ -56,7 +56,7 @@ requestedScopes:
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Argo CD]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Argo CD]
 which will operate with the above example:
 
 ```yaml
@@ -77,7 +77,7 @@ identity_providers:
         - 'groups'
         - 'email'
         - 'profile'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
     - id: 'argocd-cli'
       description: 'Argo CD (CLI)'
       public: true
@@ -90,7 +90,7 @@ identity_providers:
         - 'email'
         - 'profile'
         - 'offline_access'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/bookstack/index.md

@@ -58,7 +58,7 @@ To configure [BookStack] to utilize Authelia as an [OpenID Connect 1.0] Provider
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [BookStack]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [BookStack]
 which will operate with the above example:
 
 ```yaml
@@ -78,7 +78,7 @@ identity_providers:
         - 'openid'
         - 'profile'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/cloudflare-zerotrust/index.md

@@ -66,7 +66,7 @@ To configure [Cloudflare Zero Trust] to utilize Authelia as an [OpenID Connect 1
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Cloudflare]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Cloudflare]
 which will operate with the above example:
 
 ```yaml
@@ -86,7 +86,7 @@ identity_providers:
         - 'openid'
         - 'profile'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/firezone/index.md

@@ -67,7 +67,7 @@ descriptions.
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Firezone] which
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Firezone] which
 will operate with the above example:
 
 ```yaml
@@ -89,7 +89,7 @@ identity_providers:
         - 'openid'
         - 'email'
         - 'profile'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/gitea/index.md

@@ -77,7 +77,7 @@ descriptions.
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Gitea] which
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Gitea] which
 will operate with the above example:
 
 ```yaml
@@ -97,7 +97,7 @@ identity_providers:
         - 'openid'
         - 'email'
         - 'profile'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/gitlab/index.md

@@ -69,7 +69,7 @@ gitlab_rails['omniauth_providers'] = [
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [GitLab]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [GitLab]
 which will operate with the above example:
 
 ```yaml
@@ -90,7 +90,7 @@ identity_providers:
         - 'profile'
         - 'groups'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/grafana/index.md

@@ -87,7 +87,7 @@ Configure the following environment variables:
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Grafana]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Grafana]
 which will operate with the above example:
 
 ```yaml
@@ -108,7 +108,7 @@ identity_providers:
         - 'profile'
         - 'groups'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/harbor/index.md

@@ -60,7 +60,7 @@ To configure [Harbor] to utilize Authelia as an [OpenID Connect 1.0] Provider:
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Harbor]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Harbor]
 which will operate with the above example:
 
 ```yaml
@@ -81,7 +81,7 @@ identity_providers:
         - 'profile'
         - 'groups'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/hashicorp-vault/index.md

@@ -43,7 +43,7 @@ To configure [HashiCorp Vault] to utilize Authelia as an [OpenID Connect 1.0] Pr
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [HashiCorp Vault]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [HashiCorp Vault]
 which will operate with the above example:
 
 ```yaml
@@ -65,7 +65,7 @@ identity_providers:
         - 'profile'
         - 'groups'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/introduction.md

@@ -18,8 +18,10 @@ Authelia can act as an [OpenID Connect 1.0] Provider as part of an open beta. Th
 specifics that can be used for integrating Authelia with an [OpenID Connect 1.0] Relying Party, as well as specific
 documentation for some [OpenID Connect 1.0] Relying Party implementations.
 
-See the [configuration documentation](../../configuration/identity-providers/open-id-connect.md) for information on how
-to configure the Authelia [OpenID Connect 1.0] Provider.
+See the [OpenID Connect 1.0 Provider](../../configuration/identity-providers/openid-connect/provider.md) and
+[OpenID Connect 1.0 Clients](../../configuration/identity-providers/openid-connect/clients.md) configuration guides for
+information on how to configure the Authelia [OpenID Connect 1.0] Provider (note the clients guide is for configuring
+the registered clients in the provider).
 
 This page is intended as an integration reference point for any implementers who wish to integrate an
 [OpenID Connect 1.0] Relying Party (client application) either as a developer or user of the third party Reyling Party.
@@ -124,13 +126,23 @@ Authelia's response objects can have the following signature algorithms:
 
 ### Request Object
 
+Authelia accepts a wide variety of request object types.
 
 | Algorithm |      Key Type      | Hashing Algorithm |    Use    |                       Notes                        |
 |:---------:|:------------------:|:-----------------:|:---------:|:--------------------------------------------------:|
 |   none    |        None        |       None        |    N/A    |                        N/A                         |
 |   HS256   | HMAC Shared Secret |      SHA-256      | Signature | [Client Authentication Method] `client_secret_jwt` |
 |   HS384   | HMAC Shared Secret |      SHA-384      | Signature | [Client Authentication Method] `client_secret_jwt` |
 |   HS512   | HMAC Shared Secret |      SHA-512      | Signature | [Client Authentication Method] `client_secret_jwt` |
+|   RS256   |        RSA         |      SHA-256      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   RS384   |        RSA         |      SHA-384      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   RS512   |        RSA         |      SHA-512      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   ES256   |    ECDSA P-256     |      SHA-256      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   ES384   |    ECDSA P-384     |      SHA-384      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   ES512   |    ECDSA P-521     |      SHA-512      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   PS256   |     RSA (MFG1)     |      SHA-256      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   PS384   |     RSA (MFG1)     |      SHA-384      | Signature |  [Client Authentication Method] `private_key_jwt`  |
+|   PS512   |     RSA (MFG1)     |      SHA-512      | Signature |  [Client Authentication Method] `private_key_jwt`  |
 
 [Client Authentication Method]: #client-authentication-method
 
@@ -208,7 +220,7 @@ specification and the [OAuth 2.0 - Client Types] specification for more informat
 |  Secret via HTTP Basic Auth Scheme   |     `client_secret_basic`     |     `confidential`     |           N/A           |                           N/A                            |
 |      Secret via HTTP POST Body       |     `client_secret_post`      |     `confidential`     |           N/A           |                           N/A                            |
 |        JWT (signed by secret)        |      `client_secret_jwt`      |     `confidential`     |           N/A           | `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |
-|     JWT (signed by private key)      |       `private_key_jwt`       |     Not Supported      |           N/A           | `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |
+|     JWT (signed by private key)      |       `private_key_jwt`       |     `confidential`     |           N/A           | `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |
 |        [OAuth 2.0 Mutual-TLS]        |       `tls_client_auth`       |     Not Supported      |           N/A           |                           N/A                            |
 | [OAuth 2.0 Mutual-TLS] (Self Signed) | `self_signed_tls_client_auth` |     Not Supported      |           N/A           |                           N/A                            |
 |          No Authentication           |            `none`             |        `public`        |        `public`         |                           N/A                            |
@@ -243,7 +255,7 @@ Below is a list of the potential values we place in the [Claim] and their meanin
 ## User Information Signing Algorithm
 
 The following table describes the response from the [UserInfo] endpoint depending on the
-[userinfo_signing_algorithm](../../configuration/identity-providers/open-id-connect.md#userinfosigningalgorithm).
+[userinfo_signing_alg](../../configuration/identity-providers/openid-connect/clients.md#userinfosigningalg).
 
 | Signing Algorithm |   Encoding   |            Content Type             |
 |:-----------------:|:------------:|:-----------------------------------:|

docs/content/en/integration/openid-connect/kasm-workspaces/index.md

@@ -80,7 +80,7 @@ identity_providers:
           - 'groups'
           - 'email'
         consent_mode: 'implicit'
-        userinfo_signing_algorithm: 'none'
+        userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/komga/index.md

@@ -65,7 +65,7 @@ spring:
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Komga]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Komga]
 which will operate with the above example:
 
 ```yaml
@@ -87,7 +87,7 @@ identity_providers:
         - 'email'
       grant_types:
         - 'authorization_code'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/minio/index.md

@@ -63,7 +63,7 @@ To configure [MinIO] to utilize Authelia as an [OpenID Connect 1.0] Provider:
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [MinIO]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [MinIO]
 which will operate with the above example:
 
 ```yaml
@@ -84,7 +84,7 @@ identity_providers:
         - 'profile'
         - 'email'
         - 'groups'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/misago/index.md

@@ -79,7 +79,7 @@ To configure [Misago] to utilize Authelia as an [OpenID Connect 1.0](https://www
 
 ### Authelia
 
-The following YAML configuration is an example **Authelia** [client configuration](https://www.authelia.com/configuration/identity-providers/open-id-connect/#clients) for use with [Misago] which will operate with the above example:
+The following YAML configuration is an example **Authelia** [client configuration](https://www.authelia.com/configuration/identity-providers/openid-connect/#clients) for use with [Misago] which will operate with the above example:
 
 ```yaml
 identity_providers:
@@ -104,7 +104,7 @@ identity_providers:
         - 'code'
       response_modes:
         - 'query'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ---

docs/content/en/integration/openid-connect/nextcloud/index.md

@@ -86,7 +86,7 @@ $CONFIG = array (
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Nextcloud]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Nextcloud]
 which will operate with the above example:
 
 ```yaml
@@ -107,7 +107,7 @@ identity_providers:
         - 'profile'
         - 'email'
         - 'groups'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also

docs/content/en/integration/openid-connect/outline/index.md

@@ -60,7 +60,7 @@ OIDC_SCOPES="openid offline_access profile email"
 ### Authelia
 
 The following YAML configuration is an example __Authelia__
-[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Outline]
+[client configuration](../../../configuration/identity-providers/openid-connect/clients.md) for use with [Outline]
 which will operate with the above example:
 
 ```yaml
@@ -81,7 +81,7 @@ identity_providers:
         - 'offline_access'
         - 'profile'
         - 'email'
-      userinfo_signing_algorithm: 'none'
+      userinfo_signing_alg: 'none'
 ```
 
 ## See Also