feat: sso.oidc jwksUri verify-only mode (cross-service asymmetric JWT, no discovery)#18
Merged
Conversation
… discovery) Add JWKSURI + SigningAlgorithms fields to ProviderConfig. When JWKSURI is set, InitProvider skips OIDC discovery and builds an IDTokenVerifier directly from the remote JWKS endpoint (oidc.NewRemoteKeySet + oidc.NewVerifier). Enables cross-service asymmetric JWT verification (e.g. auth.m2m ES256 tokens) without a shared secret or discovery server. Default algs include ES256+RS256 to avoid go-oidc v3 RS256-only default rejecting ES256 tokens (cycle-2 F1). Module config parses jwksUri + signingAlgorithms keys via new getStringSlice helper. TDD: 6 tests covering accept/reject-wrong-key/aud-mismatch/iss-mismatch/ default-algs/module-init-propagation; confirmed discovery endpoint not hit.
Add provider configuration section to README covering both OIDC discovery and jwksUri verify-only modes. Table documents issuer/jwksUri/clientId/ signingAlgorithms fields with defaults. Notes the ES256+RS256 default rationale (go-oidc v3 RS256-only default) and verify-only constraint.
- step.sso_refresh_token + step.sso_token_exchange now return a clean error
('provider is verify-only (jwksUri mode)') instead of an opaque empty-endpoint
oauth2 failure when invoked against a jwksUri (no-discovery) provider.
- remove unused math/big import + misleading suppression from the new test.
There was a problem hiding this comment.
Pull request overview
Adds a jwksUri verify-only mode to the sso.oidc module so the plugin can verify ES256/RS256 JWTs from a remote JWKS URL without performing OIDC discovery. This is the first of three PRs enabling cross-service asymmetric M2M auth (workflow-plugin-auth#41).
Changes:
InitProviderbranches oncfg.JWKSURI: when set, builds anoidc.IDTokenVerifierdirectly fromoidc.NewRemoteKeySet, defaultingSupportedSigningAlgsto[ES256, RS256]to avoid go-oidc v3's silent RS256-only default.ProviderConfiggainsJWKSURIandSigningAlgorithms;parseProviderConfigand a newgetStringSlicehelper propagate them from the YAML/map config.step.sso_token_exchangeandstep.sso_refresh_tokennow return a clean "verify-only" error against jwksUri-mode providers (whoseOAuthCfg.Endpoint.TokenURLis empty);step.sso_userinfowas not similarly guarded.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents the new jwksUri verify-only mode and field semantics. |
| internal/oidc.go | Adds the JWKS-URI branch in InitProvider and the new JWKSURI/SigningAlgorithms fields on ProviderConfig. |
| internal/module_oidc.go | Wires the two new fields through parseProviderConfig; introduces getStringSlice. |
| internal/step_token_exchange.go | Returns a verify-only error when the provider has no token endpoint. |
| internal/step_refresh_token.go | Same verify-only guard for refresh. |
| internal/oidc_jwksuri_test.go | Adds 6 tests covering accept/reject paths, default algorithms, and module init for jwksUri mode. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…s nil Provider) Copilot: step.sso_userinfo called provider.Provider.UserInfo — nil-panics for a jwksUri (no-discovery) provider. Same clean verify-only error as refresh/exchange.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a
jwksUri-only verification mode tosso.oidcso a Workflow app can verify another app's (or any issuer's) ES256/RS256 JWT directly from a published JWKS URL — without OIDC discovery and without a shared secret. This is the enabling primitive for cross-service asymmetric M2M auth (workflow-plugin-auth#41).What
ProviderConfiggainsjwksUri+signingAlgorithms. WhenjwksUriis set,InitProviderbuilds the verifier viaoidc.NewRemoteKeySet+oidc.NewVerifier(skips/.well-known/openid-configurationdiscovery). The discovery path (jwksUri=="") is unchanged.signingAlgorithmsdefaults to["ES256","RS256"]— required because go-oidc v3 defaults to RS256-only whenSupportedSigningAlgsis empty, which would silently reject ES256 tokens.step.sso_validate_tokenflows a jwksUri-built verifier unchanged; issuer pinned + audience checked (whenclientIdset). Verify-only:step.sso_refresh_token/step.sso_token_exchangereturn a clean "verify-only" error against a jwksUri provider (require the discovery path).Why
Reuse over rebuild (auth#41): no bespoke IDP — App A issues ES256 via the engine
auth.m2mmodule (+/oauth/jwks); App B verifies via this mode. Demonstrated end-to-end in workflow-scenarios scenario 102 (next PR).Tests
6 new tests (accept valid; reject different-key = proves asymmetric; reject aud-mismatch; reject iss-mismatch; default-algs; module init).
go test -race ./...green,go buildclean,golangci-lint --new-from-rev0 issues. Discovery path covered by existing unchanged tests.PR 1 of 3 (auth#41). Design/ADR-0003 in workflow-plugin-auth.
🤖 Generated with Claude Code