You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR builds on the work started by @argenstijn and makes it possible to send OIDC client JWT authentication token as a JWT bearer grant assertion to support a Salesforce integration.
OIDC client must always authenticate to the OIDC server in order to complete a token grant exchange. There could be many types of grants, and many types of the OIDC client authentication. For example, OIDC client can start a client credentials grant token exchange and provide a client id and secret to authenticate. In fact, a client credentials grant can be supported instead by a client JWT authentication options.
In the Salesforce case, the client JWT authentication token plays the role of the JWT bearer grant assertion value. Essentially it is like a client credentials grant, but instead of setting the grant_type to client_credentials and supplying the JWT authentication token as client assertion authentication parameters, Salesforce expects a JWT bearer grant type whose value is the same authentication token expressed as an assertion property.
The PR is very simple, it adds an assertion boolean property to the JWT authentication group (instead of originally suggested grant) and if it is set, OIDC client passes it as an assertion form property if the correct JWT bearer grant is configured by the user. Test is added to confirm it works as expected
Just updated the error message a bit. The reason I think it is correct to enforce that the users set the correct JWT grant themselves is that, if the users wants in fact to use another grant, then sending an assertion alongside client_credentials , etc, would make no sense
Note, as far as JWT bearer grant is concerned, it is already supported at the OIDC token propagation/exchange level but where the assertion is already supplied dynamically.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sberyozkin
force-pushed
the
oidc_client_jwt_bearer_grant
branch
from
Fixes #40905.
This PR builds on the work started by @argenstijn and makes it possible to send OIDC client JWT authentication token as a JWT bearer grant assertion to support a Salesforce integration.
OIDC client must always authenticate to the OIDC server in order to complete a token grant exchange. There could be many types of grants, and many types of the OIDC client authentication. For example, OIDC client can start a client credentials grant token exchange and provide a client id and secret to authenticate. In fact, a client credentials grant can be supported instead by a client JWT authentication options.
In the Salesforce case, the client JWT authentication token plays the role of the JWT bearer grant assertion value. Essentially it is like a client credentials grant, but instead of setting the
grant_typetoclient_credentialsand supplying the JWT authentication token as client assertion authentication parameters, Salesforce expects a JWT bearer grant type whose value is the same authentication token expressed as anassertionproperty.The PR is very simple, it adds an
assertionboolean property to the JWT authentication group (instead of originally suggestedgrant) and if it is set, OIDC client passes it as anassertionform property if the correct JWT bearer grant is configured by the user. Test is added to confirm it works as expected