OIDC client support for using JWTs as Authorization Grants #41213
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #40905.
This PR builds on the work started by @argenstijn and makes it possible to send OIDC client JWT authentication token as a JWT bearer grant assertion to support a Salesforce integration.
OIDC client must always authenticate to the OIDC server in order to complete a token grant exchange. There could be many types of grants, and many types of the OIDC client authentication. For example, OIDC client can start a client credentials grant token exchange and provide a client id and secret to authenticate. In fact, a client credentials grant can be supported instead by a client JWT authentication options.
In the Salesforce case, the client JWT authentication token plays the role of the JWT bearer grant assertion value. Essentially it is like a client credentials grant, but instead of setting the
grant_type
toclient_credentials
and supplying the JWT authentication token as client assertion authentication parameters, Salesforce expects a JWT bearer grant type whose value is the same authentication token expressed as anassertion
property.The PR is very simple, it adds an
assertion
boolean property to the JWT authentication group (instead of originally suggestedgrant
) and if it is set, OIDC client passes it as anassertion
form property if the correct JWT bearer grant is configured by the user. Test is added to confirm it works as expected