feat: JWT bearer assertions for client authentication (#566)

Co-authored-by: Kyle Mendell <ksm@ofkm.us> Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>
2026-02-04 15:04:43 +00:00 · 2025-06-06 03:23:51 -07:00
parent 035b2c022b
commit 05bfe00924
38 changed files with 1464 additions and 293 deletions
--- a/tests/specs/ldap.spec.ts
+++ b/tests/specs/ldap.spec.ts
@@ -4,6 +4,8 @@ import { cleanupBackend } from '../utils/cleanup.util';
 test.beforeEach(cleanupBackend);

 test.describe('LDAP Integration', () => {
+	test.skip(process.env.SKIP_LDAP_TESTS === "true", 'Skipping LDAP tests due to SKIP_LDAP_TESTS environment variable');
+	
 	test('LDAP configuration is working properly', async ({ page }) => {
 		await page.goto('/settings/admin/application-configuration');

--- a/tests/specs/oidc.spec.ts
+++ b/tests/specs/oidc.spec.ts
@@ -2,7 +2,7 @@ import test, { expect } from "@playwright/test";
 import { oidcClients, refreshTokens, users } from "../data";
 import { cleanupBackend } from "../utils/cleanup.util";
 import { generateIdToken, generateOauthAccessToken } from "../utils/jwt.util";
-import oidcUtil from "../utils/oidc.util";
+import * as oidcUtil from "../utils/oidc.util";
 import passkeyUtil from "../utils/passkey.util";

 test.beforeEach(cleanupBackend);
@@ -449,3 +449,40 @@ test("Authorize new client with device authorization with user group not allowed
      .filter({ hasText: "You're not allowed to access this service." })
  ).toBeVisible();
 });
+
+test("Federated identity fails with invalid client assertion", async ({
+  page,
+}) => {
+  const client = oidcClients.federated;
+
+  const res = await oidcUtil.exchangeCode(page, {
+    client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+    grant_type: 'authorization_code',
+    redirect_uri: client.callbackUrl,
+    code: client.accessCodes[0],
+    client_id: client.id,
+    client_assertion:'not-an-assertion',
+  });
+
+  expect(res?.error).toBe('Invalid client assertion');
+});
+
+test("Authorize existing client with federated identity", async ({
+  page,
+}) => {
+  const client = oidcClients.federated;
+  const clientAssertion = await oidcUtil.getClientAssertion(page, client.federatedJWT);
+
+  const res = await oidcUtil.exchangeCode(page, {
+    client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+    grant_type: 'authorization_code',
+    redirect_uri: client.callbackUrl,
+    code: client.accessCodes[0],
+    client_id: client.id,
+    client_assertion: clientAssertion,
+  });
+
+  expect(res.access_token).not.toBeNull;
+  expect(res.expires_in).not.toBeNull;
+  expect(res.token_type).toBe('Bearer');
+});