Add client_secret_jwt support

josephdecock · josephdecock · commit 927f3b94a348 · 2025-06-14T14:11:04.000-05:00
diff --git a/identity-server/src/Configuration/Validation/DynamicClientRegistration/DynamicClientRegistrationValidator.cs b/identity-server/src/Configuration/Validation/DynamicClientRegistration/DynamicClientRegistrationValidator.cs
@@ -153,7 +153,7 @@ protected virtual Task<IStepResult> SetGrantTypesAsync(DynamicClientRegistration
 
         if (context.Request.GrantTypes.Contains(OidcConstants.GrantTypes.RefreshToken))
         {
-            // Note that if we ever support additional grant types that allow refresh tokens, this 
+            // Note that if we ever support additional grant types that allow refresh tokens, this
             // could be refactored.
             if (!context.Client.AllowedGrantTypes.Contains(GrantType.AuthorizationCode))
             {
@@ -302,7 +302,7 @@ protected virtual Task<IStepResult> SetDefaultScopes(DynamicClientRegistrationCo
     }
 
     /// <summary>
-    /// Validates the requested jwks to set the secrets of the client.  
+    /// Validates the requested jwks to set the secrets of the client.
     /// </summary>
     /// <param name="context">The dynamic client registration context, which
     /// includes the client model that will have its secrets set, the DCR
@@ -317,9 +317,11 @@ protected virtual Task<IStepResult> SetSecretsAsync(DynamicClientRegistrationCon
             return StepResult.Failure("The jwks_uri and jwks parameters must not be used together");
         }
 
-        if (context.Request.Jwks is null && context.Request.TokenEndpointAuthenticationMethod == OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt)
+        if (context.Request.Jwks is null &&
+            context.Request.TokenEndpointAuthenticationMethod is
+                OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt or "client_secret_jwt")
         {
-            return StepResult.Failure("Missing jwks parameter - the private_key_jwt token_endpoint_auth_method requires the jwks parameter");
+            return StepResult.Failure($"Missing jwks parameter - the {context.Request.TokenEndpointAuthenticationMethod} token_endpoint_auth_method requires the jwks parameter");
 
         }
         if (context.Request.Jwks is not null)
@@ -571,7 +573,7 @@ protected virtual Task<IStepResult> SetServerSideSessionProperties(DynamicClient
     /// Validates details of the request that control the user interface,
     /// including the logo uri, client uri, initiate login uri, enable local
     /// login flag, and identity provider restrictions, and uses them to set the
-    /// corresponding client properties. 
+    /// corresponding client properties.
     /// </summary>
     /// <param name="context">The dynamic client registration context, which
     /// includes the client model that will have miscellaneous properties set,
diff --git a/identity-server/src/IdentityServer/ResponseHandling/Default/DiscoveryResponseGenerator.cs b/identity-server/src/IdentityServer/ResponseHandling/Default/DiscoveryResponseGenerator.cs
@@ -326,14 +326,22 @@ where scope.ShowInDiscoveryDocument
                 types.Add(OidcConstants.EndpointAuthenticationMethods.TlsClientAuth);
                 types.Add(OidcConstants.EndpointAuthenticationMethods.SelfSignedTlsClientAuth);
             }
-            entries.Add(OidcConstants.Discovery.TokenEndpointAuthenticationMethodsSupported, types);
-
             if (types.Contains(OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt) &&
                 !IEnumerableExtensions.IsNullOrEmpty(Options.SupportedClientAssertionSigningAlgorithms))
             {
                 entries.Add(OidcConstants.Discovery.TokenEndpointAuthSigningAlgorithmsSupported,
                     Options.SupportedClientAssertionSigningAlgorithms);
+                if (Options.SupportedClientAssertionSigningAlgorithms.Any(alg => alg.StartsWith("HS")))
+                {
+                    types.Add("client_secret_jwt");
+                }
+
+                if (Options.SupportedClientAssertionSigningAlgorithms.All(alg => alg.StartsWith("HS")))
+                {
+                    types.Remove("private_key_jwt");
+                }
             }
+            entries.Add(OidcConstants.Discovery.TokenEndpointAuthenticationMethodsSupported, types);
         }
 
         var signingCredentials = await Keys.GetAllSigningCredentialsAsync();
diff --git a/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Discovery/DiscoveryEndpointTests_token_endpoint_auth_signing_algs_supported.cs b/identity-server/test/IdentityServer.IntegrationTests/Endpoints/Discovery/DiscoveryEndpointTests_token_endpoint_auth_signing_algs_supported.cs
@@ -10,33 +10,53 @@
 
 namespace IntegrationTests.Endpoints.Discovery;
 
-public class DiscoveryEndpointTests_token_endpoint_auth_signing_alg_values_supported
+public class DiscoveryEndpointTests_token_endpoint_auth
 {
-    private const string Category = "Discovery endpoint - token_endpoint_auth_signing_alg_values_supported";
+    private const string Category = "Discovery endpoint - token_endpoint_auth";
 
-    [Fact]
+    [Theory]
     [Trait("Category", Category)]
-    public async Task token_endpoint_auth_signing_alg_values_supported_should_match_configuration()
+    [InlineData(true, true, SecurityAlgorithms.RsaSha256, SecurityAlgorithms.HmacSha256)]
+    [InlineData(true, true, SecurityAlgorithms.RsaSsaPssSha384, SecurityAlgorithms.HmacSha384)]
+    [InlineData(true, true, SecurityAlgorithms.EcdsaSha512, SecurityAlgorithms.HmacSha512)]
+    [InlineData(false, true, SecurityAlgorithms.HmacSha256)]
+    [InlineData(false, true, SecurityAlgorithms.HmacSha384)]
+    [InlineData(false, true, SecurityAlgorithms.HmacSha512)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSha256)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSha384)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSha512)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSsaPssSha256)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSsaPssSha384)]
+    [InlineData(true, false, SecurityAlgorithms.RsaSsaPssSha512)]
+    [InlineData(true, false, SecurityAlgorithms.EcdsaSha256)]
+    [InlineData(true, false, SecurityAlgorithms.EcdsaSha384)]
+    [InlineData(true, false, SecurityAlgorithms.EcdsaSha512)]
+
+    public async Task token_endpoint_auth_should_match_configuration(bool privateKeyJwtExpected, bool clientSecretJwtExpected, params string[] algorithms)
     {
+        // This test verifies that the algorithms supported match the configured algorithms, and that
+        // the supported auth methods are appropriate for the algorithms
         var pipeline = new IdentityServerPipeline();
         pipeline.OnPostConfigureServices += svcs =>
             svcs.AddIdentityServerBuilder().AddJwtBearerClientAuthentication();
         pipeline.Initialize();
-        pipeline.Options.SupportedClientAssertionSigningAlgorithms =
-        [
-            SecurityAlgorithms.RsaSsaPssSha256,
-            SecurityAlgorithms.EcdsaSha256
-        ];
+        pipeline.Options.SupportedClientAssertionSigningAlgorithms = algorithms;
 
         var disco = await pipeline.BackChannelClient
             .GetDiscoveryDocumentAsync("https://server/.well-known/openid-configuration");
         disco.IsError.ShouldBeFalse();
 
         var algorithmsSupported = disco.TokenEndpointAuthenticationSigningAlgorithmsSupported;
 
-        algorithmsSupported.Count().ShouldBe(2);
-        algorithmsSupported.ShouldContain(SecurityAlgorithms.RsaSsaPssSha256);
-        algorithmsSupported.ShouldContain(SecurityAlgorithms.EcdsaSha256);
+        algorithmsSupported.Count().ShouldBe(algorithms.Length);
+        foreach (var algorithm in algorithms)
+        {
+            algorithmsSupported.ShouldContain(algorithm);
+        }
+
+        var authMethods = disco.TokenEndpointAuthenticationMethodsSupported;
+        authMethods.Contains("private_key_jwt").ShouldBe(privateKeyJwtExpected);
+        authMethods.Contains("client_secret_jwt").ShouldBe(clientSecretJwtExpected);
     }
 
     [Fact]
@@ -68,6 +88,10 @@ await pipeline.BackChannelClient.GetDiscoveryDocumentAsync(
         algorithmsSupported.ShouldContain(SecurityAlgorithms.HmacSha256);
         algorithmsSupported.ShouldContain(SecurityAlgorithms.HmacSha384);
         algorithmsSupported.ShouldContain(SecurityAlgorithms.HmacSha512);
+
+        var authMethods = result.TokenEndpointAuthenticationMethodsSupported;
+        authMethods.ShouldContain("private_key_jwt");
+        authMethods.ShouldContain("client_secret_jwt");
     }
 
     [Fact]
@@ -84,7 +108,6 @@ public async Task token_endpoint_auth_signing_alg_values_supported_should_not_be
         // Verify assumptions
         disco.IsError.ShouldBeFalse();
         disco.TokenEndpointAuthenticationMethodsSupported.ShouldNotContain("private_key_jwt");
-        // we don't even support client_secret_jwt, but per spec, if you DO, you must include the algs supported
         disco.TokenEndpointAuthenticationMethodsSupported.ShouldNotContain("client_secret_jwt");
 
         // Assert that we got no signing algs.

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ protected virtual Task<IStepResult> SetGrantTypesAsync(DynamicClientRegistration`
`153`	`153`
`154`	`154`	`if (context.Request.GrantTypes.Contains(OidcConstants.GrantTypes.RefreshToken))`
`155`	`155`	`{`
`156`		`- // Note that if we ever support additional grant types that allow refresh tokens, this`
	`156`	`+ // Note that if we ever support additional grant types that allow refresh tokens, this`
`157`	`157`	`// could be refactored.`
`158`	`158`	`if (!context.Client.AllowedGrantTypes.Contains(GrantType.AuthorizationCode))`
`159`	`159`	`{`
`@@ -302,7 +302,7 @@ protected virtual Task<IStepResult> SetDefaultScopes(DynamicClientRegistrationCo`
`302`	`302`	`}`
`303`	`303`
`304`	`304`	`/// <summary>`
`305`		`- /// Validates the requested jwks to set the secrets of the client.`
	`305`	`+ /// Validates the requested jwks to set the secrets of the client.`
`306`	`306`	`/// </summary>`
`307`	`307`	`/// <param name="context">The dynamic client registration context, which`
`308`	`308`	`/// includes the client model that will have its secrets set, the DCR`
`@@ -317,9 +317,11 @@ protected virtual Task<IStepResult> SetSecretsAsync(DynamicClientRegistrationCon`
`317`	`317`	`return StepResult.Failure("The jwks_uri and jwks parameters must not be used together");`
`318`	`318`	`}`
`319`	`319`
`320`		`- if (context.Request.Jwks is null && context.Request.TokenEndpointAuthenticationMethod == OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt)`
	`320`	`+ if (context.Request.Jwks is null &&`
	`321`	`+ context.Request.TokenEndpointAuthenticationMethod is`
	`322`	`+ OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt or "client_secret_jwt")`
`321`	`323`	`{`
`322`		`- return StepResult.Failure("Missing jwks parameter - the private_key_jwt token_endpoint_auth_method requires the jwks parameter");`
	`324`	`+ return StepResult.Failure($"Missing jwks parameter - the {context.Request.TokenEndpointAuthenticationMethod} token_endpoint_auth_method requires the jwks parameter");`
`323`	`325`
`324`	`326`	`}`
`325`	`327`	`if (context.Request.Jwks is not null)`
`@@ -571,7 +573,7 @@ protected virtual Task<IStepResult> SetServerSideSessionProperties(DynamicClient`
`571`	`573`	`/// Validates details of the request that control the user interface,`
`572`	`574`	`/// including the logo uri, client uri, initiate login uri, enable local`
`573`	`575`	`/// login flag, and identity provider restrictions, and uses them to set the`
`574`		`- /// corresponding client properties.`
	`576`	`+ /// corresponding client properties.`
`575`	`577`	`/// </summary>`
`576`	`578`	`/// <param name="context">The dynamic client registration context, which`
`577`	`579`	`/// includes the client model that will have miscellaneous properties set,`
Original file line number	Diff line number	Diff line change
`@@ -326,14 +326,22 @@ where scope.ShowInDiscoveryDocument`
`326`	`326`	`types.Add(OidcConstants.EndpointAuthenticationMethods.TlsClientAuth);`
`327`	`327`	`types.Add(OidcConstants.EndpointAuthenticationMethods.SelfSignedTlsClientAuth);`
`328`	`328`	`}`
`329`		`- entries.Add(OidcConstants.Discovery.TokenEndpointAuthenticationMethodsSupported, types);`
`330`		`-`
`331`	`329`	`if (types.Contains(OidcConstants.EndpointAuthenticationMethods.PrivateKeyJwt) &&`
`332`	`330`	`!IEnumerableExtensions.IsNullOrEmpty(Options.SupportedClientAssertionSigningAlgorithms))`
`333`	`331`	`{`
`334`	`332`	`entries.Add(OidcConstants.Discovery.TokenEndpointAuthSigningAlgorithmsSupported,`
`335`	`333`	`Options.SupportedClientAssertionSigningAlgorithms);`
	`334`	`+ if (Options.SupportedClientAssertionSigningAlgorithms.Any(alg => alg.StartsWith("HS")))`
	`335`	`+ {`
	`336`	`+ types.Add("client_secret_jwt");`
	`337`	`+ }`
	`338`	`+`
	`339`	`+ if (Options.SupportedClientAssertionSigningAlgorithms.All(alg => alg.StartsWith("HS")))`
	`340`	`+ {`
	`341`	`+ types.Remove("private_key_jwt");`
	`342`	`+ }`
`336`	`343`	`}`
	`344`	`+ entries.Add(OidcConstants.Discovery.TokenEndpointAuthenticationMethodsSupported, types);`
`337`	`345`	`}`
`338`	`346`
`339`	`347`	`var signingCredentials = await Keys.GetAllSigningCredentialsAsync();`