feat: JWT IdP intent (#9966)

# Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758
2025-08-12 00:27:31 +00:00 · 2025-05-27 16:26:46 +02:00
parent 833f6279e1
commit 4d66a786c8
10 changed files with 319 additions and 16 deletions
--- a/internal/idp/providers/jwt/jwt_test.go
+++ b/internal/idp/providers/jwt/jwt_test.go
@@ -23,6 +23,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm
 	}
 	type args struct {
+		state  string
 		params []idp.Parameter
 	}
 	type want struct {
@@ -36,7 +37,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		want   want
 	}{
 		{
-			name: "missing userAgentID error",
+			name: "missing state, error",
 			fields: fields{
 				issuer:       "https://jwt.com",
 				jwtEndpoint:  "https://auth.com/jwt",
@@ -47,14 +48,34 @@ func TestProvider_BeginAuth(t *testing.T) {
 				},
 			},
 			args: args{
+				state:  "",
 				params: nil,
 			},
 			want: want{
 				err: func(err error) bool {
-					return errors.Is(err, ErrMissingUserAgentID)
+					return errors.Is(err, ErrMissingState)
 				},
 			},
 		},
+		{
+			name: "missing userAgentID, fallback to state",
+			fields: fields{
+				issuer:       "https://jwt.com",
+				jwtEndpoint:  "https://auth.com/jwt",
+				keysEndpoint: "https://jwt.com/keys",
+				headerName:   "jwt-header",
+				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
+					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
+				},
+			},
+			args: args{
+				state:  "testState",
+				params: nil,
+			},
+			want: want{
+				session: &Session{AuthURL: "https://auth.com/jwt?authRequestID=testState&userAgentID=dGVzdFN0YXRl"},
+			},
+		},
 		{
 			name: "successful auth",
 			fields: fields{
@@ -67,6 +88,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 				},
 			},
 			args: args{
+				state: "testState",
 				params: []idp.Parameter{
 					idp.UserAgentID("agent"),
 				},
@@ -91,7 +113,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 			require.NoError(t, err)

 			ctx := context.Background()
-			session, err := provider.BeginAuth(ctx, "testState", tt.args.params...)
+			session, err := provider.BeginAuth(ctx, tt.args.state, tt.args.params...)
 			if tt.want.err != nil && !tt.want.err(err) {
 				a.Fail("invalid error", err)
 			}