Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Implements ACME External Account Binding (EAB) support (RFC 8555 §7.3.4) by adding storage for provisioned external account keys, validating EAB JWS bindings on new-account requests, and extending conformance tests to cover EAB scenarios.
Changes:
- Add
ExternalAccountKeymodel + persistence (IStoreExternalAccountKeys) with file-based and in-memory implementations. - Add
IExternalAccountBindingService+ default validator to verify EAB flattened JWS (HMAC + url + payload JWK match). - Update account creation flow to accept/bind an external account key id, and add conformance scenarios + step definitions for EAB.
Reviewed changes
Copilot reviewed 17 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| web/package-lock.json | Bumps a few frontend dependency versions. |
| tests/opencertserver.lambda.tests/opencertserver.lambda.tests.csproj | Updates AWS SDK extensions package version. |
| tests/opencertserver.certserver.tests/StepDefinitions/AcmeConformance.cs | Adds step definitions + helpers for EAB conformance scenarios. |
| tests/opencertserver.certserver.tests/Features/AcmeConformance.feature | Adds new EAB rule/scenarios to the conformance feature. |
| tests/opencertserver.certserver.tests/Features/AcmeConformance.feature.cs | Regenerated feature code to include EAB scenarios. |
| src/opencertserver.acme.server/Stores/InMemoryExternalAccountKeyStore.cs | Adds in-memory EAB key store implementation. |
| src/opencertserver.acme.server/Stores/ExternalAccountKeyStore.cs | Adds file-based EAB key store implementation. |
| src/opencertserver.acme.server/Services/DefaultExternalAccountBindingService.cs | Implements EAB JWS validation + active-key checks. |
| src/opencertserver.acme.server/Endpoints/AccountEndpoints.cs | Validates EAB on new-account and binds the external account id to created accounts. |
| src/opencertserver.acme.server/Services/DefaultAccountService.cs | Extends account creation to accept an external account id. |
| src/opencertserver.acme.server/JsonDefaults.cs | Adds source-gen serialization metadata for ExternalAccountKey. |
| src/opencertserver.acme.server/Extensions/ServiceCollectionExtensions.cs | Registers EAB service and key stores for file/in-memory setups. |
| src/opencertserver.acme.server/Configuration/FileStoreOptions.cs | Adds ExternalAccountKeyPath location under file store base path. |
| src/opencertserver.acme.abstractions/Storage/IStoreExternalAccountKeys.cs | Introduces storage contract for external account keys. |
| src/opencertserver.acme.abstractions/Services/IExternalAccountBindingService.cs | Introduces service contract for EAB validation / key status checks. |
| src/opencertserver.acme.abstractions/Services/IAccountService.cs | Extends account creation API with optional external account id. |
| src/opencertserver.acme.abstractions/Model/ExternalAccountKey.cs | Adds the external account key domain model. |
| src/opencertserver.acme.abstractions/Model/Account.cs | Persists the external account id on accounts created with EAB. |
| src/opencertserver.acme.abstractions/Exceptions/ExternalAccountBindingException.cs | Adds EAB-specific exception mapped to externalAccountRequired. |
Files not reviewed (2)
- tests/opencertserver.certserver.tests/Features/AcmeConformance.feature.cs: Language not supported
- web/package-lock.json: Language not supported
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ormance.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Owner
Author
|
@copilot apply changes based on the comments in this thread |
…ernalAccountBindingException Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/6b704152-b866-472f-a91e-6cbc11c52681 Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/6b704152-b866-472f-a91e-6cbc11c52681 Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
Owner
Author
|
@copilot apply changes based on the comments in this thread |
Copilot stopped work on behalf of
jjrdk due to an error
April 11, 2026 21:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement external account binding to support external account requirements