Skip to content

Commit 95bf267

Browse files
zandbeltzandbelt
committed
support use of Elliptic Curve prime256v1 keys for private_key_jwt
(ES256) token endpoint and introspection endpoint authentication; closes #1336; bump to 2.4.17.2dev Signed-off-by: Hans Zandbelt <[email protected]>
1 parent 69620ae commit 95bf267

File tree

3 files changed

+11
-7
lines changed

3 files changed

+11
-7
lines changed

ChangeLog

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
07/11/2025
2+
- support use of Elliptic Curve prime256v1 keys for private_key_jwt (ES256) token endpoint
3+
and introspection endpoint authentication; closes #1336
4+
- bump to 2.4.17.2dev
5+
16
06/25/2025
27
- allow to suppress warnings about (individual) X-Forwarded headers; see #1333
38
through environment variable OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE, e.g.:

configure.ac

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
AC_INIT([mod_auth_openidc],[2.4.17.1],[[email protected]])
1+
AC_INIT([mod_auth_openidc],[2.4.17.2dev],[[email protected]])
22

33
AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
44

src/proto/auth.c

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -191,14 +191,12 @@ static apr_byte_t oidc_proto_endpoint_auth_private_key_jwt(request_rec *r, oidc_
191191
return FALSE;
192192

193193
if ((client_keys != NULL) && (client_keys->nelts > 0)) {
194-
jwk = oidc_util_key_list_first(client_keys, CJOSE_JWK_KTY_RSA, OIDC_JOSE_JWK_SIG_STR);
194+
jwk = oidc_util_key_list_first(client_keys, -1, OIDC_JOSE_JWK_SIG_STR);
195195
if (jwk && jwk->x5t)
196196
jwt->header.x5t = apr_pstrdup(r->pool, jwk->x5t);
197197
} else if ((oidc_cfg_private_keys_get(cfg) != NULL) && (oidc_cfg_private_keys_get(cfg)->nelts > 0)) {
198-
jwk =
199-
oidc_util_key_list_first(oidc_cfg_private_keys_get(cfg), CJOSE_JWK_KTY_RSA, OIDC_JOSE_JWK_SIG_STR);
200-
jwk_pub =
201-
oidc_util_key_list_first(oidc_cfg_public_keys_get(cfg), CJOSE_JWK_KTY_RSA, OIDC_JOSE_JWK_SIG_STR);
198+
jwk = oidc_util_key_list_first(oidc_cfg_private_keys_get(cfg), -1, OIDC_JOSE_JWK_SIG_STR);
199+
jwk_pub = oidc_util_key_list_first(oidc_cfg_public_keys_get(cfg), -1, OIDC_JOSE_JWK_SIG_STR);
202200
if (jwk_pub && jwk_pub->x5t)
203201
// populate x5t; at least required for Microsoft Entra ID / Azure AD
204202
jwt->header.x5t = apr_pstrdup(r->pool, jwk_pub->x5t);
@@ -212,7 +210,8 @@ static apr_byte_t oidc_proto_endpoint_auth_private_key_jwt(request_rec *r, oidc_
212210
}
213211

214212
jwt->header.kid = apr_pstrdup(r->pool, jwk->kid);
215-
jwt->header.alg = apr_pstrdup(r->pool, CJOSE_HDR_ALG_RS256);
213+
jwt->header.alg =
214+
apr_pstrdup(r->pool, jwk->kty == CJOSE_JWK_KTY_EC ? CJOSE_HDR_ALG_ES256 : CJOSE_HDR_ALG_RS256);
216215

217216
oidc_proto_jwt_sign_and_add(r, params, jwt, jwk);
218217

0 commit comments

Comments
 (0)