stacklok / toolhive / 25739523544

push

github

Add RFC 7523 JWT Bearer grant package (#5262)

Add pkg/oauthproto/jwtbearer, a self-contained client for the JWT
Bearer token grant defined by RFC 7523 Section 2.1. The grant exchanges
a signed JWT assertion for an OAuth 2.0 access token at a target
authorization server's token endpoint.

TokenURL validation reuses pkg/networking.ValidateEndpointURL plus
host, fragment, and userinfo checks to enforce RFC 6749 Section 3.2
(token endpoints must use TLS) and to reject URLs that smuggle
credentials in the URL itself. The token_type field in the success
response is validated as required by RFC 6749 Section 5.1. HTTP error
responses are returned as *oauth2.RetrieveError (from
golang.org/x/oauth2) with the raw Body scrubbed before return, matching
pkg/oauthproto/tokenexchange's stricter behavior so error strings
cannot leak upstream content into logs.

Client authentication is HTTP Basic per RFC 6749 Section 2.3.1; the
package targets confidential clients per XAA / ID-JAG §8.1 and does not
support public-client identification via a body client_id parameter.

Also add the GrantTypeJWTBearer URN constant to pkg/oauthproto, the
first consumer of which is this package.

The jwtbearer package is the Step B primitive used by the XAA (ID-JAG)
strategy. It has no XAA-specific behaviour at this layer and works for
any RFC 7523 JWT-Bearer exchange with a confidential client.

72 of 78 new or added lines in 1 file covered. (92.31%)

64269 of 98624 relevant lines covered (65.17%)

61.81 hits per line