Unable to use private_key_jwt auth method with Azure.

[nlfiedler]

The issue is simple, as described a while back in #642 -- I would like to use private_key_jwt with Azure, to the same extent that I can with Okta. Granted, a little work-around is needed, as described in #423, and that's fine, but that alone is not sufficient (anymore?).

In particular, it seems that Azure insists there be an x5t value in the header that is the thumbprint of the public key. No problem, I can jam that in there by hacking the openid-client library.

--- client_orig.js	2024-02-29 13:46:16
+++ client.js	2024-02-29 13:46:33
@@ -69,7 +69,7 @@
   }

   return new jose.CompactSign(Buffer.from(JSON.stringify(payload)))
-    .setProtectedHeader({ alg, kid: key.jwk && key.jwk.kid })
+    .setProtectedHeader({ alg, kid: key.jwk && key.jwk.kid, x5t: 'QHQ0fsVaR0w8U4BTGqa2FAJ9olU' })
     .sign(await key.keyObject(alg));
 }

That's obviously a hack, but it demonstrates that there is a simple fix. The question I have is, what's the right way to make it possible to add JWT header values from a design perspective, without being annoying or breaking backward compatibility? Azure needs x5t but would also like to have typ: "JWT" for some reason, despite it working fine without it.

I am using the latest release of openid-client, and the code that I have to set up the passport strategy looks like this:

  const metadata = {
    client_id: clientId,
    redirect_uris: ['https://example.com/oidc/callback'],
    response_types: ['code'],
    post_logout_redirect_uris: ['https://example.com'],
    id_token_signed_response_alg: signingAlgo || 'RS256',
    token_endpoint_auth_method = 'private_key_jwt',
    token_endpoint_auth_signing_alg = 'RS256'
  }
  const privateKey = await jose.importPKCS8(clientKey, 'RS256')
  const jwk = await jose.exportJWK(privateKey)
  jwk.kid = await jose.calculateJwkThumbprint(jwk)
  const jwks = {keys: [jwk]}
  const client = new issuer.Client(metadata, jwks)
  const strategy = new Strategy({
    client,
    passReqToCallback: true,
    usePKCE: codeChallenge || true,
    extras: {
      // Override the node-openid-client default that causes grief for Azure AD
      // which only wants to receive a single audience value.
      clientAssertionPayload: {
        aud: issuerUri,
      },
    }
  }, (req, tokenset, userinfo, done) => {
    if (issuer.end_session_endpoint) {
      req.session.endSessionUrl = client.endSessionUrl({
        id_token_hint: tokenset.id_token
      })
    }
    done(null, userinfo)
  })

In case it matters, the error that Azure returns looks like this:

invalid_client (AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application.

Let me know what you think about this issue. I'll be happy to code a proper solution and submit a PR, taking any guidance you can offer into account. Thank you.

[Physium]

so is this not fix at all?

[panva]

In v6.x the options that are available on the PrivateKeyJwt client authentication method allow for this sort of customization.