feat: JWT IdP intent (#9966)

# Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758
2025-08-12 06:07:33 +00:00 · 2025-05-27 16:26:46 +02:00
parent 833f6279e1
commit 4d66a786c8
10 changed files with 319 additions and 16 deletions
--- a/internal/idp/providers/jwt/jwt.go
+++ b/internal/idp/providers/jwt/jwt.go
@@ -11,14 +11,14 @@ import (
 )

 const (
-	queryAuthRequestID = "authRequestID"
-	queryUserAgentID   = "userAgentID"
+	QueryAuthRequestID = "authRequestID"
+	QueryUserAgentID   = "userAgentID"
 )

 var _ idp.Provider = (*Provider)(nil)

 var (
-	ErrMissingUserAgentID = errors.New("userAgentID missing")
+	ErrMissingState = errors.New("state missing")
 )

 // Provider is the [idp.Provider] implementation for a JWT provider
@@ -92,32 +92,32 @@ func (p *Provider) Name() string {
 // It will create a [Session] with an AuthURL, pointing to the jwtEndpoint
 // with the authRequest and encrypted userAgent ids.
 func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Parameter) (idp.Session, error) {
-	userAgentID, err := userAgentIDFromParams(params...)
-	if err != nil {
-		return nil, err
+	if state == "" {
+		return nil, ErrMissingState
 	}
+	userAgentID := userAgentIDFromParams(state, params...)
 	redirect, err := url.Parse(p.jwtEndpoint)
 	if err != nil {
 		return nil, err
 	}
 	q := redirect.Query()
-	q.Set(queryAuthRequestID, state)
+	q.Set(QueryAuthRequestID, state)
 	nonce, err := p.encryptionAlg.Encrypt([]byte(userAgentID))
 	if err != nil {
 		return nil, err
 	}
-	q.Set(queryUserAgentID, base64.RawURLEncoding.EncodeToString(nonce))
+	q.Set(QueryUserAgentID, base64.RawURLEncoding.EncodeToString(nonce))
 	redirect.RawQuery = q.Encode()
 	return &Session{AuthURL: redirect.String()}, nil
 }

-func userAgentIDFromParams(params ...idp.Parameter) (string, error) {
+func userAgentIDFromParams(state string, params ...idp.Parameter) string {
 	for _, param := range params {
 		if id, ok := param.(idp.UserAgentID); ok {
-			return string(id), nil
+			return string(id)
 		}
 	}
-	return "", ErrMissingUserAgentID
+	return state
 }

 // IsLinkingAllowed implements the [idp.Provider] interface.