proposal: x/oauth2: add support for client_assertion

[michaeldcanady]

Proposal Details

Currently this package does not support client_assertion/client_assertion_type OAuth2.0 client authentication outlined here in the OpenID Connect documentation (not up to standard). Here is an example outlined in this documentation, for a visual on what the request would look like:

  Host: server.example.com
  Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code&
    code=i1WsRn1uB1&
    client_id=s6BhdRkqt3&
    client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
    client_assertion=PHNhbWxwOl ... ZT

(Pulled from golang/oauth2#744)

[gabyhelp]

Related Issues

• proposal: x/oauth2: support private_key_jwt client authentication #57186

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

What does support look like for x/oauth2? What do we need to add or change in terms of API and documentation?

[michaeldcanady]

Thank you for replying so quickly! I think mainly it would be adding a new method to the oauth.Config type. I'll be honest I haven't looked too deeply into in there would be greater changes. The issue I linked in the initial description details a workaround and some feedback from others! Let me know if there is any other information you need/want!

Example of new API method

func (c *Config) ClientAssertion(ctx context.Context,  jwt string) (*Token, error) {
	v := url.Values{
		"client_assertion": {jwt},
		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
	}
       // validate jwt has the required claim values: iss, sub, aud, jti, exp, (optional) iat
	if len(c.Scopes) > 0 {
		v.Set("scope", strings.Join(c.Scopes, " "))
	}
	return retrieveToken(ctx, c, v)
}