feat: experimental support for JWT profile authentication using ZITADEL (#182)

* feat: #181 first draft for JWT profile auth

* #181: add docs and variable expansion

* chore: cleanup

Author: sevensolutions

src/config.go

@@ -2,6 +2,7 @@ package src
 
 import (
 	"context"
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
@@ -12,6 +13,8 @@ import (
 	"strings"
 	"text/template"
 
+	"github.com/golang-jwt/jwt/v5"
+
 	"github.com/sevensolutions/traefik-oidc-auth/src/errorPages"
 	"github.com/sevensolutions/traefik-oidc-auth/src/logging"
 	"github.com/sevensolutions/traefik-oidc-auth/src/rules"
@@ -70,8 +73,10 @@ type ProviderConfig struct {
 	CABundle     string `json:"ca_bundle"`
 	CABundleFile string `json:"ca_bundle_file"`
 
-	ClientId     string `json:"client_id"`
-	ClientSecret string `json:"client_secret"`
+	ClientId              string `json:"client_id"`
+	ClientSecret          string `json:"client_secret"`
+	ClientJwtPrivateKey   string `json:"client_jwt_private_key"`
+	ClientJwtPrivateKeyId string `json:"client_jwt_private_key_id"`
 
 	UsePkce     string `json:"use_pkce"`
 	UsePkceBool bool   `json:"use_pkce_bool"`
@@ -196,6 +201,8 @@ func New(uctx context.Context, next http.Handler, config *Config, name string) (
 	config.Provider.Url = utils.ExpandEnvironmentVariableString(config.Provider.Url)
 	config.Provider.ClientId = utils.ExpandEnvironmentVariableString(config.Provider.ClientId)
 	config.Provider.ClientSecret = utils.ExpandEnvironmentVariableString(config.Provider.ClientSecret)
+	config.Provider.ClientJwtPrivateKeyId = utils.ExpandEnvironmentVariableString(config.Provider.ClientJwtPrivateKeyId)
+	config.Provider.ClientJwtPrivateKey = utils.ExpandEnvironmentVariableString(config.Provider.ClientJwtPrivateKey)
 	config.Provider.UsePkceBool, err = utils.ExpandEnvironmentVariableBoolean(config.Provider.UsePkce, config.Provider.UsePkceBool)
 	if err != nil {
 		return nil, err
@@ -215,6 +222,14 @@ func New(uctx context.Context, next http.Handler, config *Config, name string) (
 		return nil, err
 	}
 
+	var clientAssertionPrivateKey *rsa.PrivateKey
+	if config.Provider.ClientJwtPrivateKey != "" && config.Provider.ClientJwtPrivateKeyId != "" {
+		clientAssertionPrivateKey, err = jwt.ParseRSAPrivateKeyFromPEM([]byte(config.Provider.ClientJwtPrivateKey))
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	config.Provider.CABundle = utils.ExpandEnvironmentVariableString(config.Provider.CABundle)
 	config.Provider.CABundleFile = utils.ExpandEnvironmentVariableString(config.Provider.CABundleFile)
 	config.Provider.TokenValidation = utils.ExpandEnvironmentVariableString(config.Provider.TokenValidation)
@@ -335,6 +350,7 @@ func New(uctx context.Context, next http.Handler, config *Config, name string) (
 		next:                     next,
 		httpClient:               httpClient,
 		ProviderURL:              parsedURL,
+		ClientJwtPrivateKey:      clientAssertionPrivateKey,
 		CallbackURL:              parsedCallbackURL,
 		Config:                   config,
 		SessionStorage:           session.CreateCookieSessionStorage(),

src/main.go

@@ -2,6 +2,7 @@ package src
 
 import (
 	"bytes"
+	"crypto/rsa"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
@@ -27,6 +28,7 @@ type TraefikOidcAuth struct {
 	next                     http.Handler
 	httpClient               *http.Client
 	ProviderURL              *url.URL
+	ClientJwtPrivateKey      *rsa.PrivateKey
 	CallbackURL              *url.URL
 	Config                   *Config
 	SessionStorage           session.SessionStorage

src/oidc.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"path"
 	"strings"
+	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/sevensolutions/traefik-oidc-auth/src/logging"
@@ -84,6 +85,16 @@ func exchangeAuthCode(oidcAuth *TraefikOidcAuth, req *http.Request, authCode str
 		urlValues.Add("client_secret", oidcAuth.Config.Provider.ClientSecret)
 	}
 
+	if oidcAuth.ClientJwtPrivateKey != nil {
+		clientAssertionToken, err := oidcAuth.getClientAssertionJwtToken()
+		if err != nil {
+			return nil, err
+		}
+
+		urlValues.Add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+		urlValues.Add("client_assertion", clientAssertionToken)
+	}
+
 	if oidcAuth.Config.Provider.UsePkceBool {
 		codeVerifierCookie, err := req.Cookie(getCodeVerifierCookieName(oidcAuth.Config))
 		if err != nil {
@@ -108,7 +119,7 @@ func exchangeAuthCode(oidcAuth *TraefikOidcAuth, req *http.Request, authCode str
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
-		oidcAuth.logger.Log(logging.LevelError, "exchangeAuthCode: received bad HTTP response from Provider: %s", string(body))
+		oidcAuth.logger.Log(logging.LevelError, "exchangeAuthCode: received bad HTTP response from Provider (Status: %d): %s", resp.StatusCode, string(body))
 		return nil, errors.New("invalid status code")
 	}
 
@@ -172,6 +183,16 @@ func (toa *TraefikOidcAuth) introspectToken(token string) (bool, map[string]inte
 		"token": {token},
 	}
 
+	if toa.ClientJwtPrivateKey != nil {
+		clientAssertionToken, err := toa.getClientAssertionJwtToken()
+		if err != nil {
+			return false, nil, err
+		}
+
+		data.Add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+		data.Add("client_assertion", clientAssertionToken)
+	}
+
 	//log(toa.Config.LogLevel, LogLevelDebug, "Token: %s", token)
 
 	endpoint := toa.DiscoveryDocument.IntrospectionEndpoint
@@ -254,3 +275,23 @@ func (toa *TraefikOidcAuth) renewToken(refreshToken string) (*oidc.OidcTokenResp
 
 	return tokenResponse, nil
 }
+
+func (toa *TraefikOidcAuth) getClientAssertionJwtToken() (string, error) {
+	claims := jwt.MapClaims{
+		"iss": toa.Config.Provider.ClientId,
+		"sub": toa.Config.Provider.ClientId,
+		"aud": toa.Config.Provider.Url,
+		"iat": time.Now().Unix(),
+		"exp": time.Now().Add(5 * time.Minute).Unix(),
+	}
+
+	assertionToken := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	assertionToken.Header["kid"] = toa.Config.Provider.ClientJwtPrivateKeyId
+
+	clientAssertionJwt, err := assertionToken.SignedString(toa.ClientJwtPrivateKey)
+	if err != nil {
+		return "", err
+	}
+
+	return clientAssertionJwt, nil
+}

website/docs/getting-started/middleware-configuration.md

@@ -58,6 +58,8 @@ But: If you're using YAML-files for configuration you can use [traefik's templat
 | `CABundleFile`* | no | `string` | *none* | Specifies the path to an optional CA certificate bundle in case you're using self-signed certificates for the provider. If you're using Docker, make sure the file is mounted into the traefik container. |
 | `ClientId`* | yes | `string` | *none* | The client id of the application. |
 | `ClientSecret`* | no | `string` | *none* | The client secret of the application. May not be needed for some providers when using PKCE. |
+| `ClientJwtPrivateKeyId`* | no | `string` | *none* | Specifies the key id (`keyId` field in the downloaded file) of a [JWT Profile](https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt). Only works with ZITADEL. Note: This is a little bit experimental and not well tested yet. |
+| `ClientJwtPrivateKey`* | no | `string` | *none* | Specifies the private key (`key` field in the downloaded file) of a [JWT Profile](https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt). Only works with ZITADEL. Note: This is a little bit experimental and not well tested yet. |
 | `UsePkce`* | no | `bool` | `false`| Enable PKCE. In this case, a client secret may not be needed for some providers. The following algorithms are supported: *RS*, *EC*, *ES*. |
 | `ValidateIssuer`* | no | `bool` | `true` | Specifies whether the `iss` claim in the JWT-token should be validated. |
 | `ValidIssuer`* | no | `string` | *discovery document* | The issuer which must be present in the JWT-token. By default this will be read from the OIDC discovery document. |