fix(oauth): fix client auth for public clients, use createLocalJWKSet (#132)

Two changes:

1. Clients that omit `token_endpoint_auth_method` in their metadata get
   the Zod schema default of `client_secret_basic`, which isn't supported
   by AT Protocol OAuth. The type assertion silently passed this through,
   causing `invalid_client` at the token endpoint. Now explicitly maps:
   only `private_key_jwt` is preserved, everything else becomes `none`.

2. Replace hand-rolled JWKS key selection with jose's `createLocalJWKSet`
   which handles key matching by kid, alg, use, and key_ops.

Author: ascorbic

.changeset/fix-oauth-client-auth.md

@@ -0,0 +1,8 @@
+---
+"@getcirrus/oauth-provider": patch
+---
+
+Fix OAuth client authentication failures for public clients and mixed JWKS
+
+- Fix `invalid_client` error for clients that omit `token_endpoint_auth_method` in their metadata (Zod default of `client_secret_basic` was passed through unsupported)
+- Fix `invalid usage "encrypt"` error when client JWKS contains both signing and encryption keys by using jose's `createLocalJWKSet` for proper key selection

packages/oauth-provider/src/client-auth.ts

@@ -5,13 +5,13 @@
 
 import {
 	jwtVerify,
+	createLocalJWKSet,
 	createRemoteJWKSet,
-	importJWK,
 	errors,
 	customFetch,
 } from "jose";
 import type { JWTPayload } from "jose";
-import type { ClientMetadata, JWK } from "./storage.js";
+import type { ClientMetadata } from "./storage.js";
 
 const { JOSEError } = errors;
 
@@ -93,30 +93,9 @@ export async function verifyClientAssertion(
 	let keyResolver: Parameters<typeof jwtVerify>[1];
 
 	if (client.jwks && client.jwks.keys.length > 0) {
-		// For inline JWKS, we need to find the right key based on the JWT header
-		keyResolver = async (header) => {
-			const keys = client.jwks!.keys;
-			// Find key by kid if present, otherwise use first key with matching alg
-			let key: JWK | undefined;
-			if (header.kid) {
-				key = keys.find((k) => k.kid === header.kid);
-			}
-			if (!key) {
-				key = keys.find((k) => !k.alg || k.alg === header.alg);
-			}
-			if (!key) {
-				key = keys[0];
-			}
-			if (!key) {
-				throw new ClientAuthError(
-					"No suitable key found in client JWKS",
-					"invalid_client",
-				);
-			}
-			// Pass the algorithm from the header when the JWK doesn't have one
-			const alg = key.alg ?? header.alg;
-			return importJWK(key as Parameters<typeof importJWK>[0], alg);
-		};
+		// Use jose's createLocalJWKSet which handles key selection by
+		// kid, alg, use, and key_ops
+		keyResolver = createLocalJWKSet(client.jwks);
 	} else if (client.jwksUri) {
 		// Use remote JWKS
 		keyResolver = createRemoteJWKSet(new URL(client.jwksUri), {

packages/oauth-provider/src/client-resolver.ts

@@ -232,8 +232,9 @@ export class ClientResolver {
 			logoUri: doc.logo_uri,
 			clientUri: doc.client_uri,
 			tokenEndpointAuthMethod:
-				(doc.token_endpoint_auth_method as "none" | "private_key_jwt") ??
-				"none",
+				doc.token_endpoint_auth_method === "private_key_jwt"
+					? "private_key_jwt"
+					: "none",
 			jwks: doc.jwks as { keys: JWK[] } | undefined,
 			jwksUri: doc.jwks_uri,
 			cachedAt: Date.now(),

packages/oauth-provider/test/client-resolver.test.ts

@@ -126,6 +126,57 @@ describe("ClientResolver", () => {
 		});
 	});
 
+	describe("token_endpoint_auth_method mapping", () => {
+		it("maps unrecognized auth methods to none (public client)", async () => {
+			const clientId = "https://app.example.com/client-metadata.json";
+
+			// Metadata without token_endpoint_auth_method — Zod schema
+			// defaults it to "client_secret_basic" which we don't support
+			const metadata = {
+				client_id: clientId,
+				client_name: "App",
+				redirect_uris: ["https://app.example.com/callback"],
+				// token_endpoint_auth_method omitted (defaults to client_secret_basic)
+			};
+
+			const mockFetch = vi.fn().mockResolvedValue({
+				ok: true,
+				json: () => Promise.resolve(metadata),
+			});
+
+			const resolver = new ClientResolver({
+				fetch: mockFetch as unknown as typeof fetch,
+			});
+
+			const result = await resolver.resolveClient(clientId);
+			expect(result.tokenEndpointAuthMethod).toBe("none");
+		});
+
+		it("preserves private_key_jwt auth method", async () => {
+			const clientId = "https://app.example.com/client-metadata.json";
+
+			const metadata = {
+				client_id: clientId,
+				client_name: "Confidential App",
+				redirect_uris: ["https://app.example.com/callback"],
+				token_endpoint_auth_method: "private_key_jwt",
+				jwks_uri: "https://app.example.com/jwks",
+			};
+
+			const mockFetch = vi.fn().mockResolvedValue({
+				ok: true,
+				json: () => Promise.resolve(metadata),
+			});
+
+			const resolver = new ClientResolver({
+				fetch: mockFetch as unknown as typeof fetch,
+			});
+
+			const result = await resolver.resolveClient(clientId);
+			expect(result.tokenEndpointAuthMethod).toBe("private_key_jwt");
+		});
+	});
+
 	describe("cache invalidation", () => {
 		it("re-fetches cached client without tokenEndpointAuthMethod", async () => {
 			// This test ensures we don't use stale cache entries from before