Add private_key_jwt client authentication method (#6)

mbilski · web-flow · commit 79dd1dd70d97 · 2022-11-16T13:51:50.000+01:00
diff --git a/README.md b/README.md
@@ -186,3 +186,14 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --auth-method client_secret_jwt \
   --scopes introspect_tokens,revoke_tokens
 ```
+
+### Private Key JWT
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id 582af0afb0d74554aa7af47849edb222 \
+  --signing-key https://pastebin.com/raw/WMkzhjhm \
+  --grant-type client_credentials \
+  --auth-method private_key_jwt \
+  --scopes introspect_tokens,revoke_tokens
+```
diff --git a/cmd/log.go b/cmd/log.go
@@ -1,7 +1,12 @@
 package cmd
 
 import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"strings"
 
 	"github.com/cloudentity/oauth2c/internal/oauth2"
@@ -111,38 +116,62 @@ func LogAuthMethod(config oauth2.ClientConfig) {
 	}
 }
 
-func LogAssertion(request oauth2.Request) {
-	assertion := request.Form.Get("assertion")
+func LogAssertion(request oauth2.Request, title string, name string) {
+	var (
+		assertion = request.Form.Get(name)
+		token     *jwt.Token
+		claims    jwt.MapClaims
+		err       error
+	)
 
-	if assertion != "" {
-		var claims jwt.MapClaims
+	if assertion == "" {
+		return
+	}
 
-		if token, _, err := parser.ParseUnverified(assertion, &claims); err != nil {
+	if token, _, err = parser.ParseUnverified(assertion, &claims); err != nil {
+		pterm.Error.Println(err)
+		return
+	}
+
+	pterm.DefaultBox.WithTitle(title).Printfln("%s = JWT-%s(payload)", name, token.Header["alg"])
+	pterm.Println("")
+	pterm.Println("Payload")
+	LogJson(claims)
+	pterm.Println("")
+
+	pterm.Println("Key")
+	switch key := request.Key.(type) {
+	case *rsa.PrivateKey:
+		p := bytes.Buffer{}
+
+		if err = pem.Encode(&p, &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(key),
+		}); err != nil {
 			pterm.Error.Println(err)
-		} else {
-			pterm.DefaultBox.WithTitle("JWT Bearer assertion").Printfln("assertion = JWT-%s(payload)", token.Header["alg"])
-			pterm.Println("")
-			pterm.Println("Payload")
-			LogJson(claims)
-			pterm.Println("")
 		}
-	}
-}
 
-func LogClientAssertion(request oauth2.Request) {
-	assertion := request.Form.Get("client_assertion")
+		pterm.FgGray.Printfln(p.String())
+	case *ecdsa.PrivateKey:
+		b, err := x509.MarshalECPrivateKey(key)
+
+		if err != nil {
+			pterm.Error.Println(err)
+		}
 
-	if assertion != "" {
-		var claims jwt.MapClaims
+		p := bytes.Buffer{}
 
-		if _, _, err := parser.ParseUnverified(assertion, &claims); err != nil {
+		if err = pem.Encode(&p, &pem.Block{
+			Type:  "EC PRIVATE KEY",
+			Bytes: b,
+		}); err != nil {
 			pterm.Error.Println(err)
-		} else {
-			pterm.DefaultBox.WithTitle("client_assertion").Printfln("client_assertion = JWT-HS256(payload)")
-			pterm.Println("")
-			pterm.Println("Payload")
-			LogJson(claims)
-			pterm.Println("")
 		}
+
+		pterm.FgGray.Printfln(p.String())
+	case []byte:
+		pterm.FgGray.Println(string(key))
 	}
+
+	pterm.Println("")
 }
diff --git a/cmd/oauth2.go b/cmd/oauth2.go
@@ -399,8 +399,8 @@ func tokenEndpointFlow(
 		return err
 	}
 
-	LogAssertion(tokenRequest)
-	LogClientAssertion(tokenRequest)
+	LogAssertion(tokenRequest, "Assertion", "assertion")
+	LogAssertion(tokenRequest, "Client assertion", "client_assertion")
 	LogAuthMethod(clientConfig)
 	LogRequestAndResponse(tokenRequest, tokenResponse)
 	LogTokenPayloadln(tokenResponse)
diff --git a/internal/oauth2/oauth2.go b/internal/oauth2/oauth2.go
@@ -37,7 +37,7 @@ const (
 	ClientSecretBasicAuthMethod string = "client_secret_basic"
 	ClientSecretPostAuthMethod  string = "client_secret_post"
 	ClientSecretJwtAuthMethod   string = "client_secret_jwt"
-	// PrivateKeyJwtAuthMethod     string = "private_key_jwt"
+	PrivateKeyJwtAuthMethod     string = "private_key_jwt"
 	// SelfSignedTLSAuthMethod     string = "self_signed_tls_client_auth"
 	// TLSClientAuthMethod         string = "tls_client_auth"
 	// NoneAuthMethod              string = "none"
@@ -261,7 +261,7 @@ func RequestToken(
 	case JWTBearerGrantType:
 		var assertion string
 
-		if assertion, err = SignJWT(
+		if assertion, request.Key, err = SignJWT(
 			AssertionClaims(sconfig, cconfig),
 			JWKSigner(cconfig, hc),
 		); err != nil {
@@ -278,13 +278,25 @@ func RequestToken(
 	case ClientSecretJwtAuthMethod:
 		var clientAssertion string
 
-		if clientAssertion, err = SignJWT(
+		if clientAssertion, request.Key, err = SignJWT(
 			ClientAssertionClaims(sconfig, cconfig),
 			SecretSigner([]byte(cconfig.ClientSecret)),
 		); err != nil {
 			return request, response, err
 		}
 
+		request.Form.Set("client_assertion_type", JwtBearerClientAssertion)
+		request.Form.Set("client_assertion", clientAssertion)
+	case PrivateKeyJwtAuthMethod:
+		var clientAssertion string
+
+		if clientAssertion, request.Key, err = SignJWT(
+			ClientAssertionClaims(sconfig, cconfig),
+			JWKSigner(cconfig, hc),
+		); err != nil {
+			return request, response, err
+		}
+
 		request.Form.Set("client_assertion_type", JwtBearerClientAssertion)
 		request.Form.Set("client_assertion", clientAssertion)
 	}
diff --git a/internal/oauth2/signing.go b/internal/oauth2/signing.go
@@ -52,35 +52,41 @@ func ReadKey(location string, hc *http.Client) (jose.JSONWebKey, error) {
 	return keys.Keys[0], nil
 }
 
-type SignerProvider func() (jose.Signer, error)
+type SignerProvider func() (jose.Signer, interface{}, error)
 
 func JWKSigner(clientConfig ClientConfig, hc *http.Client) SignerProvider {
-	return func() (signer jose.Signer, err error) {
+	return func() (signer jose.Signer, _ interface{}, err error) {
 		var key jose.JSONWebKey
 
 		if clientConfig.SigningKey == "" {
-			return nil, errors.New("no signing key path")
+			return nil, nil, errors.New("no signing key path")
 		}
 
 		if key, err = ReadKey(clientConfig.SigningKey, hc); err != nil {
-			return nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)
+			return nil, nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)
 		}
 
-		return jose.NewSigner(jose.SigningKey{
+		if signer, err = jose.NewSigner(jose.SigningKey{
 			Algorithm: jose.SignatureAlgorithm(key.Algorithm),
 			Key:       key.Key,
 		}, &jose.SignerOptions{
 			ExtraHeaders: map[jose.HeaderKey]interface{}{"kid": key.KeyID},
-		})
+		}); err != nil {
+			return nil, nil, errors.Wrapf(err, "failed to create a signer")
+		}
+
+		return signer, key.Key, nil
 	}
 }
 
 func SecretSigner(secret []byte) SignerProvider {
-	return func() (jose.Signer, error) {
-		return jose.NewSigner(jose.SigningKey{
+	return func() (jose.Signer, interface{}, error) {
+		signer, err := jose.NewSigner(jose.SigningKey{
 			Algorithm: jose.HS256,
 			Key:       secret,
 		}, nil)
+
+		return signer, secret, err
 	}
 }
 
@@ -123,30 +129,33 @@ func ClientAssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig)
 	}
 }
 
-func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (string, error) {
+func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (jwt string, key interface{}, err error) {
 	var (
 		signer jose.Signer
 		claims map[string]interface{}
 		jws    *jose.JSONWebSignature
 		bs     []byte
-		err    error
 	)
 
-	if signer, err = signerProvider(); err != nil {
-		return "", errors.Wrapf(err, "failed to create signer")
+	if signer, key, err = signerProvider(); err != nil {
+		return "", nil, errors.Wrapf(err, "failed to create signer")
 	}
 
 	if claims, err = claimsProvider(); err != nil {
-		return "", errors.Wrapf(err, "failed to build claims")
+		return "", nil, errors.Wrapf(err, "failed to build claims")
 	}
 
 	if bs, err = json.Marshal(claims); err != nil {
-		return "", errors.Wrapf(err, "failed to serialize claims")
+		return "", nil, errors.Wrapf(err, "failed to serialize claims")
 	}
 
 	if jws, err = signer.Sign(bs); err != nil {
-		return "", errors.Wrapf(err, "failed to sign jwt")
+		return "", nil, errors.Wrapf(err, "failed to sign jwt")
+	}
+
+	if jwt, err = jws.CompactSerialize(); err != nil {
+		return "", nil, err
 	}
 
-	return jws.CompactSerialize()
+	return jwt, key, nil
 }
diff --git a/internal/oauth2/signing_test.go b/internal/oauth2/signing_test.go
@@ -32,7 +32,7 @@ func TestSignJWT(t *testing.T) {
 		},
 	)
 
-	jwt, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{
+	jwt, _, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{
 		SigningKey: "./testdata/jwks-private.json",
 	}, http.DefaultClient))
 	require.NoError(t, err)
diff --git a/internal/oauth2/tracing.go b/internal/oauth2/tracing.go
@@ -7,6 +7,7 @@ type Request struct {
 	URL     *url.URL
 	Headers map[string][]string
 	Form    url.Values
+	Key     interface{}
 }
 
 func (r *Request) Get(key string) string {

Original file line number	Diff line number	Diff line change
`@@ -52,35 +52,41 @@ func ReadKey(location string, hc *http.Client) (jose.JSONWebKey, error) {`
`52`	`52`	`return keys.Keys[0], nil`
`53`	`53`	`}`
`54`	`54`
`55`		`-type SignerProvider func() (jose.Signer, error)`
	`55`	`+type SignerProvider func() (jose.Signer, interface{}, error)`
`56`	`56`
`57`	`57`	`func JWKSigner(clientConfig ClientConfig, hc *http.Client) SignerProvider {`
`58`		`- return func() (signer jose.Signer, err error) {`
	`58`	`+ return func() (signer jose.Signer, _ interface{}, err error) {`
`59`	`59`	`var key jose.JSONWebKey`
`60`	`60`
`61`	`61`	`if clientConfig.SigningKey == "" {`
`62`		`- return nil, errors.New("no signing key path")`
	`62`	`+ return nil, nil, errors.New("no signing key path")`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`if key, err = ReadKey(clientConfig.SigningKey, hc); err != nil {`
`66`		`- return nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)`
	`66`	`+ return nil, nil, errors.Wrapf(err, "failed to read signing key from %s", clientConfig.SigningKey)`
`67`	`67`	`}`
`68`	`68`
`69`		`- return jose.NewSigner(jose.SigningKey{`
	`69`	`+ if signer, err = jose.NewSigner(jose.SigningKey{`
`70`	`70`	`Algorithm: jose.SignatureAlgorithm(key.Algorithm),`
`71`	`71`	`Key: key.Key,`
`72`	`72`	`}, &jose.SignerOptions{`
`73`	`73`	`ExtraHeaders: map[jose.HeaderKey]interface{}{"kid": key.KeyID},`
`74`		`- })`
	`74`	`+ }); err != nil {`
	`75`	`+ return nil, nil, errors.Wrapf(err, "failed to create a signer")`
	`76`	`+ }`
	`77`	`+`
	`78`	`+ return signer, key.Key, nil`
`75`	`79`	`}`
`76`	`80`	`}`
`77`	`81`
`78`	`82`	`func SecretSigner(secret []byte) SignerProvider {`
`79`		`- return func() (jose.Signer, error) {`
`80`		`- return jose.NewSigner(jose.SigningKey{`
	`83`	`+ return func() (jose.Signer, interface{}, error) {`
	`84`	`+ signer, err := jose.NewSigner(jose.SigningKey{`
`81`	`85`	`Algorithm: jose.HS256,`
`82`	`86`	`Key: secret,`
`83`	`87`	`}, nil)`
	`88`	`+`
	`89`	`+ return signer, secret, err`
`84`	`90`	`}`
`85`	`91`	`}`
`86`	`92`
`@@ -123,30 +129,33 @@ func ClientAssertionClaims(serverConfig ServerConfig, clientConfig ClientConfig)`
`123`	`129`	`}`
`124`	`130`	`}`
`125`	`131`
`126`		`-func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (string, error) {`
	`132`	`+func SignJWT(claimsProvider ClaimsProvider, signerProvider SignerProvider) (jwt string, key interface{}, err error) {`
`127`	`133`	`var (`
`128`	`134`	`signer jose.Signer`
`129`	`135`	`claims map[string]interface{}`
`130`	`136`	`jws *jose.JSONWebSignature`
`131`	`137`	`bs []byte`
`132`		`- err error`
`133`	`138`	`)`
`134`	`139`
`135`		`- if signer, err = signerProvider(); err != nil {`
`136`		`- return "", errors.Wrapf(err, "failed to create signer")`
	`140`	`+ if signer, key, err = signerProvider(); err != nil {`
	`141`	`+ return "", nil, errors.Wrapf(err, "failed to create signer")`
`137`	`142`	`}`
`138`	`143`
`139`	`144`	`if claims, err = claimsProvider(); err != nil {`
`140`		`- return "", errors.Wrapf(err, "failed to build claims")`
	`145`	`+ return "", nil, errors.Wrapf(err, "failed to build claims")`
`141`	`146`	`}`
`142`	`147`
`143`	`148`	`if bs, err = json.Marshal(claims); err != nil {`
`144`		`- return "", errors.Wrapf(err, "failed to serialize claims")`
	`149`	`+ return "", nil, errors.Wrapf(err, "failed to serialize claims")`
`145`	`150`	`}`
`146`	`151`
`147`	`152`	`if jws, err = signer.Sign(bs); err != nil {`
`148`		`- return "", errors.Wrapf(err, "failed to sign jwt")`
	`153`	`+ return "", nil, errors.Wrapf(err, "failed to sign jwt")`
	`154`	`+ }`
	`155`	`+`
	`156`	`+ if jwt, err = jws.CompactSerialize(); err != nil {`
	`157`	`+ return "", nil, err`
`149`	`158`	`}`
`150`	`159`
`151`		`- return jws.CompactSerialize()`
	`160`	`+ return jwt, key, nil`
`152`	`161`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func TestSignJWT(t *testing.T) {`
`32`	`32`	`},`
`33`	`33`	`)`
`34`	`34`
`35`		`- jwt, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{`
	`35`	`+ jwt, _, err := oauth2.SignJWT(claims, oauth2.JWKSigner(oauth2.ClientConfig{`
`36`	`36`	`SigningKey: "./testdata/jwks-private.json",`
`37`	`37`	`}, http.DefaultClient))`
`38`	`38`	`require.NoError(t, err)`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ type Request struct {`
`7`	`7`	`URL *url.URL`
`8`	`8`	`Headers map[string][]string`
`9`	`9`	`Form url.Values`
	`10`	`+ Key interface{}`
`10`	`11`	`}`
`11`	`12`
`12`	`13`	`func (r *Request) Get(key string) string {`