Skip to content

v0.39.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 May 04:17
· 47 commits to main since this release
v0.39.0
be5f255
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

New: JWT-Bearer Grant (RFC 7523)

The oauth_token transform now supports grant: jwt_bearer for RFC 7523 JWT-bearer flows. The proxy mints a JWT signed with an RSA private key sourced from any secrets backend, exchanges it at the token endpoint, and injects the resulting bearer on matching requests. This covers DocuSign, Salesforce, Box, Zoom Server-to-Server, Adobe Sign, and any other vendor that trades a signed JWT assertion for an access token. Token caching, single-flight, fingerprint-based credential rotation, and token_endpoint_headers all apply as with the other grant types.

- name: oauth_token
  config:
    tokens:
      - grant: jwt_bearer
        issuer:         {type: env, var: DOCUSIGN_INTEGRATION_KEY}
        subject:        {type: env, var: DOCUSIGN_USER_GUID}
        private_key:
          type: 1password_connect
          secret_ref: "op://Engineering/DOCUSIGN/private-key.pem"
        private_key_id: {type: env, var: DOCUSIGN_KEY_ID}   # optional; emitted as JWT kid header
        audience: "account.docusign.com"
        token_endpoint: "https://account.docusign.com/oauth/token"
        scopes: ["signature", "impersonation"]
        rules:
          - host: "*.docusign.net"

The same shape works for Salesforce (audience: https://login.salesforce.com, token_endpoint: https://login.salesforce.com/services/oauth2/token), Box, and Zoom S2S. Only audience, token_endpoint, and scopes change. The existing gcp_auth transform remains the convenience wrapper for Google's keyfile format.

Changelog

  • be5f255 feat(oauth): add jwt_bearer grant for RFC 7523 JWT-bearer flows (DocuSign, Salesforce, Box, Zoom S2S) (#136)
Assets 8
Loading