PKCE and Adding private key JWT support for OIDC#22732
Merged
Conversation
github-actions
bot
added
theme/api
panman90
changed the title
suresh-hashicorp
previously approved these changes
Sep 10, 2025
Contributor
suresh-hashicorp
left a comment
suresh-hashicorp
left a comment
There was a problem hiding this comment.
UI changes are good.
sreeram77
requested changes
Sep 11, 2025
.changelog/22732.txt
Outdated
| @@ -0,0 +1,3 @@ | |||
| ```release-note:feature | |||
| oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable | |||
Member
There was a problem hiding this comment.
Suggested change
| oidc: Added support for client authentication using JWT assertion and PKCE. default PKCE is disable | |
| auth: add client authentication using JWT assertion and PKCE. default PKCE is disabled. |
Contributor
Author
There was a problem hiding this comment.
updated message, mentioning OIDC as it only cover that auth flow
internal/go-sso/oidcauth/jwt.go
Outdated
| } | ||
|
|
||
| func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (map[string]interface{}, error) { | ||
| allClaims := make(map[string]interface{}) |
Member
There was a problem hiding this comment.
Please replace interface{} with any
internal/go-sso/oidcauth/oidc.go
Outdated
| "time" | ||
|
|
||
| "github.com/coreos/go-oidc/v3/oidc" | ||
| // HashiCorp CAP (Cloud Authentication Primitives) library for OIDC flows |
dduzgun-security
requested changes
Sep 12, 2025
Collaborator
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
Thanks a lot for working on this.
Here are a few security points which could be reviewed:
- Can we have the PKCE check enabled explicitly by default?
- Can we add the kid header to identify which key was used to sign the JWT?
- If the kid not set, can we include the same x5t header logic as Nomad (ref)? By defaulting the checksum to x5t#S256
- Can we default to Elliptic Curve instead of RS256? It's more performant. We can also include RS256 in the list of allowed algs
- Can we add some unit tests for the
algportion please? There are also various tests we can include which were captured in Nomads implementation (ref)
Contributor
Author
|
@dduzgun-security - Thanks for your feedback
|
Collaborator
|
@mansi991999 thanks for the reply and looking at it. I forgot to mention on the initial comment but could we also include some unit tests for jwt.go and auth.go? I've added a comment in the internal RFC to understand more why the |
mrgupta7
previously approved these changes
Sep 16, 2025
sreeram77
requested changes
Sep 16, 2025
internal/go-sso/oidcauth/auth.go
Outdated
| return nil, fmt.Errorf("error creating provider config: %v", err) | ||
| } | ||
|
|
||
| provider, error := capOidc.NewProvider(providerConfig) |
Member
There was a problem hiding this comment.
Please don't use 'error' for an error since this is a built in keyword. You can reuse err.
internal/go-sso/oidcauth/jwt.go
Outdated
| return nil, errors.New("data does not contain any valid RSA, ECDSA, or ED25519 public keys") | ||
| } | ||
|
|
||
| func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (map[string]interface{}, error) { |
Member
There was a problem hiding this comment.
Please replace interface{} with any.
|
|
||
| "github.com/coreos/go-oidc/v3/oidc" | ||
| "github.com/hashicorp/cap/oidc" | ||
| cass "github.com/hashicorp/cap/oidc/clientassertion" |
Contributor
Author
There was a problem hiding this comment.
to make references more concise
internal/go-sso/oidcauth/oidc.go
Outdated
| authURL, err := provider.AuthURL(ctx, request) | ||
| if err != nil { | ||
| return "", fmt.Errorf("error generating OAuth state: %v", err) | ||
| return "", fmt.Errorf("Error while generating AuthURL %q", err) |
Member
There was a problem hiding this comment.
error string should start with a lower case
Contributor
Author
|
@dduzgun-security |
dduzgun-security
approved these changes
Sep 16, 2025
sreeram77
approved these changes
Sep 17, 2025
sanikachavan5
pushed a commit
that referenced
this pull request
Sep 23, 2025
* Adding private key JWT support for OIDC
sanikachavan5
added a commit
that referenced
this pull request
Jan 28, 2026
* add timeouts to prevent slowloris attacks * rename * fix tests * fix test * fix failing test * add docs and tests * lint issues * Added support for IPv6 virtual IP offset calculation and validation. (#22741) * - Added support for IPv6 virtual IP offset calculation and validation. - Upgraded `github.com/miekg/dns` dependency to v1.1.68. - Included `BindAddr` in agent endpoint and enabled binding logic in IP offset calculations. - Updated `go.mod` and `go.sum` to reflect dependency changes. * Refactored `addIPOffset` to utilize `BindAddr` and introduced `getAgentBindAddr` for improved binding logic and IP offset calculation. Added utility function isDualStack * Executed go mod tidy * Refactored network utilities into `netutil` package and updated `catalog.go` to use new functions for improved modularity and clarity. Removed duplicate implementations of `GetAgentConfig` and `isDualStack`. * Added comprehensive unit tests for `netutil` package covering `GetAgentConfig`, `GetAgentBindAddr`, and `IsDualStack`. Refactored functions to support mocking for improved testability. * only retaining utility function changes. * added changelog * Latest Envoy version update - default v1.34.7 (#22735) * docs: Additional entries for versioned redirects (#22694) * "Get started" section redirects * deploy & secure * Consul operations complete * register & discover * Finish service networking * Enterprise, Runtimes, and Plugins sections * Reference docs * added BinAddr field in agent/self API response (#22761) * PKCE and Adding private key JWT support for OIDC (#22732) * Adding private key JWT support for OIDC * Submodules Version upgrade (#22776) * [CSL-11760] [Envoy Bootstrap] Defaults to IPv6 for admin-bind and grpc-addr in dual stack if its empty (#22763) * add: func to check dual-stack configuration * add: testcases for dual-stack of admin-bind and grpc adrr * envoy: admin-bind and grpc-addr dual-stack defaults to ipv6 * fix(review comment): creates a constant for loopback address * add: debug log to verify recieved isDualStack value * add: changelog file added * update: changelog file * fix: correct format specifier * fix(review): make constant for default envoy admin port * Update .changelog/22763.txt Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> * fix: TestAgent_Monitor flaky test --------- Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> * update: default upstream.local_bind_address to ::1 for IPv6 agent bind address (#22773) * update: default upstream.local_bind_address to ::1 for IPv6 agent bind addr * add: changelog --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * update: set proxy.local_service_address to ::1 for IPv6 agent bind addr (#22772) * update: set proxy.local_service_address to ::1 for IPv6 agent bind addr * add: changelog --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * update: default proxy BindAddress to :: for IPv6 agent bind addr (#22774) * update: default proxy BindAddress to :: for IPv6 agent bind addr * add: changelog * fixing conflicts --------- Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> * Consul ENT default version change #22783 (#22784) * [Bugfix]: suppress lacks token permission while checking dual stack (#22788) fix: suppress lacks token permission while checking dual stack * updated redhat image to latest (#22794) * Suppress CVEs (#22801) * redhat version revert (#22806) redhat image version revert to 9.6 * Suppress CVE-2025-6395 (#22808) * fix path cleaning of proxied urls (#22671) * fix path cleaning of proxied urls * add changelog * added more tests * add tests and address review comments * address review changes * remove usage of dynamic GitHub actions variable (#22725) use hardcoded names for preventing attacks * Multi Port Service Discovery (#22769) 1. Support for registering a service with multiple named ports 2. The named ports can be used in DNS queries to discover ports based on usecase * add timeouts to prevent slowloris attacks * Delete .changelog/22625.txt * doc changes * run codegen * simplify error handling * test: add long-running profile and trace tests for pprof handlers * changelog: update security note to clarify HTTP server timeout configurations against Slowloris attacks test: remove short test skip for HTTP server timeout tests --------- Co-authored-by: nitin-sachdev-29 <nitin.sachdev@hashicorp.com> Co-authored-by: LakshmiNarayananDesikan <lakshminarayanan.desikan@hashicorp.com> Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: mansi991999 <mansi.panchal@hashicorp.com> Co-authored-by: anilvpatel <anilkumarvinodbhai.patel@hashicorp.com> Co-authored-by: Sreeram Narayanan <sreeram.narayanan@hashicorp.com> Co-authored-by: Mukul Anand <mukul.anand@hashicorp.com> Co-authored-by: Manisha Kumari <manisha.kumari@hashicorp.com> Co-authored-by: Sriram R <sriramr083@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adding support for private key(client assertion) and PKCE for OIDC
Testing & Reproduction steps
Tested with Keyclock and Auth0 with private key JWT instead of client secret
Links
https://auth0.com/docs/authenticate/enterprise-connections/private-key-jwt-client-auth
PR Checklist
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.