implement private jwt login flow by passing the client assertion to the token endpoint

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Controller/LoginController.php

@@ -21,6 +21,7 @@
 use OCA\UserOIDC\Event\TokenObtainedEvent;
 use OCA\UserOIDC\Helper\HttpClientHelper;
 use OCA\UserOIDC\Service\DiscoveryService;
+use OCA\UserOIDC\Service\JwkService;
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\OIDCService;
 use OCA\UserOIDC\Service\ProviderService;
@@ -91,6 +92,7 @@ public function __construct(
 		private ICrypto $crypto,
 		private TokenService $tokenService,
 		private OidcService $oidcService,
+		private JwkService $jwkService,
 	) {
 		parent::__construct($request, $config, $l10n);
 	}
@@ -373,6 +375,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
 		$isPkceSupported = in_array('S256', $discovery['code_challenge_methods_supported'] ?? [], true);
 		$isPkceEnabled = $isPkceSupported && ($oidcSystemConfig['use_pkce'] ?? true);
+		$usePrivateKeyJwt = $this->providerService->getSetting($providerId, ProviderService::SETTING_USE_PRIVATE_KEY_JWT, '0') !== '0';
 
 		try {
 			$requestBody = [
@@ -402,15 +405,21 @@ public function code(string $state = '', string $code = '', string $scope = '',
 				$tokenEndpointAuthMethod = 'client_secret_post';
 			}
 
-			if ($tokenEndpointAuthMethod === 'client_secret_basic') {
+			// private key JWT auth does not work with client_secret_basic, we don't wanna pass the client secret
+			if ($tokenEndpointAuthMethod === 'client_secret_basic' && !$usePrivateKeyJwt) {
 				$headers = [
 					'Authorization' => 'Basic ' . base64_encode($provider->getClientId() . ':' . $providerClientSecret),
 					'Content-Type' => 'application/x-www-form-urlencoded',
 				];
 			} else {
 				// Assuming client_secret_post as no other option is supported currently
 				$requestBody['client_id'] = $provider->getClientId();
-				$requestBody['client_secret'] = $providerClientSecret;
+				if ($usePrivateKeyJwt) {
+					$requestBody['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+					$requestBody['client_assertion'] = $this->jwkService->generateClientAssertion($provider, $discovery['issuer'], $code);
+				} else {
+					$requestBody['client_secret'] = $providerClientSecret;
+				}
 			}
 
 			$body = $this->clientService->post(

lib/Service/JwkService.php

@@ -10,6 +10,7 @@
 
 require_once __DIR__ . '/../../vendor/autoload.php';
 
+use OCA\UserOIDC\Db\Provider;
 use OCA\UserOIDC\Vendor\Firebase\JWT\JWK;
 use OCA\UserOIDC\Vendor\Firebase\JWT\JWT;
 use OCP\AppFramework\Services\IAppConfig;
@@ -164,6 +165,27 @@ public function createJwt(array $payload, \OpenSSLAsymmetricKey $key, string $ke
 		return JWT::encode($payload, $key, $alg, $keyId);
 	}
 
+	public function generateClientAssertion(Provider $provider, string $discoveryIssuer, ?string $code = null): string {
+		$myPemPrivateKey = $this->getMyPemSignatureKey();
+		$sslPrivateKey = openssl_pkey_get_private($myPemPrivateKey);
+		$pemPrivateKeyExpiresAt = $this->appConfig->getAppValueInt(self::PEM_SIG_KEY_EXPIRES_AT_SETTINGS_KEY, lazy: true);
+
+		$payload = [
+			'sub' => $provider->getClientId(),
+			'aud' => $discoveryIssuer,
+			'iss' => $provider->getClientId(),
+			'iat' => time(),
+			'exp' => time() + 60,
+			'jti' => \bin2hex(\random_bytes(16)),
+		];
+
+		if ($code !== null) {
+			$payload['code'] = $code;
+		}
+
+		return $this->createJwt($payload, $sslPrivateKey, 'sig_key_' . $pemPrivateKeyExpiresAt, 'ES384');
+	}
+
 	public function debug(): array {
 		$myPemPrivateKey = $this->getMyPemSignatureKey();
 		$sslPrivateKey = openssl_pkey_get_private($myPemPrivateKey);