Merge pull request #1029 from auth0/feat/SDK-3862-private_key_jwt

examples/basic-example/.gitignore

@@ -0,0 +1,6 @@
+node_modules
+dist
+.env
+.next
+.DS_Store
+package-lock.json

examples/kitchen-sink-example/.env.local.template

@@ -3,3 +3,5 @@ AUTH0_ISSUER_BASE_URL=
 AUTH0_BASE_URL=
 AUTH0_CLIENT_ID=
 AUTH0_CLIENT_SECRET=
+AUTH0_AUDIENCE=
+AUTH0_SCOPE=openid profile email read:shows

package.json

@@ -106,6 +106,7 @@
     "eslint-plugin-react-hooks": "^4.2.0",
     "jest": "^27.2.0",
     "next": "^13.1.3",
+    "jest-environment-node-single-context": "^27.3.0",
     "nock": "^13.0.5",
     "oidc-provider": "^7.6.0",
     "on-headers": "^1.0.2",
@@ -136,7 +137,7 @@
     "next": ">=10"
   },
   "jest": {
-    "testEnvironment": "node",
+    "testEnvironment": "jest-environment-node-single-context",
     "rootDir": ".",
     "moduleFileExtensions": [
       "ts",

src/auth0-session/client.ts

@@ -1,10 +1,12 @@
-import { Issuer, custom, Client, EndSessionParameters } from 'openid-client';
+import { Issuer, custom, Client, EndSessionParameters, ClientAuthMethod } from 'openid-client';
 import url, { UrlObject } from 'url';
 import urlJoin from 'url-join';
 import createDebug from './utils/debug';
 import { DiscoveryError } from './utils/errors';
 import { Config } from './config';
 import { ParsedUrlQueryInput } from 'querystring';
+import { exportJWK } from 'jose';
+import { createPrivateKey } from 'crypto';
 
 const debug = createDebug('client');
 
@@ -88,11 +90,23 @@ export default function get(config: Config, { name, version }: Telemetry): Clien
       );
     }
 
-    client = new issuer.Client({
-      client_id: config.clientID,
-      client_secret: config.clientSecret,
-      id_token_signed_response_alg: config.idTokenSigningAlg
-    });
+    let jwks;
+    if (config.clientAssertionSigningKey) {
+      const privateKey = createPrivateKey({ key: config.clientAssertionSigningKey });
+      const jwk = await exportJWK(privateKey);
+      jwks = { keys: [jwk] };
+    }
+
+    client = new issuer.Client(
+      {
+        client_id: config.clientID,
+        client_secret: config.clientSecret,
+        id_token_signed_response_alg: config.idTokenSigningAlg,
+        token_endpoint_auth_method: config.clientAuthMethod as ClientAuthMethod,
+        token_endpoint_auth_signing_alg: config.clientAssertionSigningAlg
+      },
+      jwks
+    );
     client[custom.clock_tolerance] = config.clockTolerance;
 
     if (config.idpLogout && !issuer.end_session_endpoint) {

src/auth0-session/config.ts

@@ -1,5 +1,5 @@
 import type { IncomingMessage } from 'http';
-import type { AuthorizationParameters as OidcAuthorizationParameters } from 'openid-client';
+import type { AuthorizationParameters as OidcAuthorizationParameters, ClientAuthMethod } from 'openid-client';
 import { SessionStore } from './session/stateful-session';
 
 /**
@@ -162,6 +162,28 @@ export interface Config {
      */
     callback: string;
   };
+
+  /**
+   * The clients authentication method. Default is `none` when using response_type='id_token`,`private_key_jwt` when
+   * using a `clientAssertionSigningKey`, otherwise `client_secret_basic`.
+   */
+  clientAuthMethod?: ClientAuthMethod;
+
+  /**
+   * Private key for use with `private_key_jwt` clients.
+   * This should be a string that is the contents of a PEM file.
+   * you can also use the `AUTH0_CLIENT_ASSERTION_SIGNING_KEY` environment variable.
+   */
+  clientAssertionSigningKey?: string;
+
+  /**
+   * The algorithm used to sign the client assertion JWT.
+   * Uses one of `token_endpoint_auth_signing_alg_values_supported` if not specified.
+   * If the Authorization Server discovery document does not list `token_endpoint_auth_signing_alg_values_supported`
+   * this property will be required.
+   * You can also use the `AUTH0_CLIENT_ASSERTION_SIGNING_ALG` environment variable.
+   */
+  clientAssertionSigningAlg?: string;
 }
 
 /**