Support OAuth RFC - JWT for Client Authentication and Authorization Grants

[hagaivcita]

Are there any plans to support JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants?
RFC 7523

From the Abstract:

Abstract

This specification defines the use of a JSON Web Token (JWT) Bearer
Token as a means for requesting an OAuth 2.0 access token as well as
for client authentication.

[ThisIsMissEm]

The "correct" place for this would be in doorkeeper-openid_connect, but it doesn't yet support them: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/v1.8.11/app/controllers/doorkeeper/openid_connect/discovery_controller.rb

[ThisIsMissEm]

Oh, actually, that's the client assertions spec, private_key_jwt is a token endpoint auth method, which is what I was thinking of, which allows a public client to use client credentials via JWTs https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

[hagaivcita]

Oh, actually, that's the client assertions spec, private_key_jwt is a token endpoint auth method, which is what I was thinking of, which allows a public client to use client credentials via JWTs https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

@ThisIsMissEm Thanks for the quick reply!

Yeah as you said that's in the token endpoint.
Basically private_key_jwt is a client authentication method defined in RFC 7523, instead of authenticating with the client_secret.

[ThisIsMissEm]

We'd need support somewhere for OAuth Assertion Framework RFC7521 for this to be possible — I don't think this spec is currently implemented in any maintained doorkeeper code or plugins. There was this & its forks, but they haven't been maintained in a decade: https://github.com/kiorux/doorkeeper-jwt_assertion/

[ThisIsMissEm]

This would be enabled by #1772, which allows registering additional client authentication methods.

[avner-vcita]

@ThisIsMissEm Hello! Has there been any recent progress regarding this issue?

[ThisIsMissEm]

I think #1772 is still awaiting review, but the person to review is busy with life things at the moment, so we all just need to be patient