Skip to content

Add support for client assertion signing key authentication #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for client assertion signing key authentication #203

wants to merge 1 commit into from

Conversation

kaczowkad
Copy link

Changes

The omniauth-auth0 gem only supports client secret authentication. Auth0 documentation states:

To ​​improve your security posture, we recommend using the Private Key JWT authentication method.

Opened issue #199 on 2024-11-07 to inquire about adding support for private key JWT authentication. We created a workaround to support private key JWT authentication in our application using the omniauth-auth0 gem. Opening this PR to get feedback on adding support for private key JWT added to the gem.

This PR adds two optional parameters to the config:

  • client_assertion_signing_key - the private key
  • client_assertion_signing_algorithm - algorithm defaults to RS256

The current interface is preserved. Client secret authentication can be used without changing the interface.

Client secret authentication:

AUTH0_CONFIG = Rails.application.config_for(:auth0)

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :auth0,
    AUTH0_CONFIG['auth0_client_id'],
    AUTH0_CONFIG['auth0_client_secret'],
    AUTH0_CONFIG['auth0_domain'],
    callback_path: '/auth/auth0/callback',
    authorize_params: {
      scope: 'openid profile'
    }
  )
end

Client assertion signing key:

AUTH0_CONFIG = Rails.application.config_for(:auth0)

Rails.application.config.middleware.use OmniAuth::Builder do
  provider(
    :auth0,
    AUTH0_CONFIG['auth0_client_id'],
    nil,
    AUTH0_CONFIG['auth0_domain'],
    callback_path: '/auth/auth0/callback',
    authorize_params: {
      scope: 'openid profile'
    }
    client_assertion_signing_key: AUTH0_CONFIG[:auth0_client_assertion_signing_key],
    client_assertion_signing_algorithm: AUTH0_CONFIG[:auth0_client_assertion_signing_algorithm]}
  )
end

The existing code has rubocop violations which were not addressed because it was outside the scope of these changes. No new rubocop violations were introduced.

References

Please include relevant links supporting this change such as a:

Testing

Duplicated all the specs in spec/omniauth/strategies/auth0_spec.rb for client assertion signing key. The existing specs were scoped to 'client secret authentication'. All specs passed.

Testing with Auth0 requires an application setup for private key JWT authentication. The public key must be uploaded to the application in Auth0.

  • This change adds unit test coverage
  • This change has been tested on the latest version of the platform/language or why not
    Tested with ruby 3.2.2. Built the gem and client assertion signing key authentication with a Ruby on Rails application.

Checklist

@kaczowkad
Add support for client assertion signing key authentication while con…
802638a 
…tinuing to support client secret authentication.

The client assertion signing key allows Private Key JWT application authentication in Auth0.  The client_assertion_signing_key and client_assertion_signing_algorithm are optional parameters.
Client assercition signing key will be used if a client_assertion_signing_key is privided. The client_assertion_signing_algorithm is optional. The algorithm defaults to RS256 if nil or not
provided.
@kaczowkad kaczowkad requested a review from a team as a code owner June 20, 2025 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kaczowkad