[v17] Add Support For JWT-Secured Authorization Requests in OIDC Connector

api/constants/constants.go

@@ -186,6 +186,20 @@ var SystemConnectors = []string{
 	HeadlessConnector,
 }
 
+// OIDCRequestObjectMode represents the Request Object Mode of an OIDC Connector.
+type OIDCRequestObjectMode string
+
+const (
+	// OIDCRequestObjectModeUnknown indicates an unknown or uninitialized state of the request object mode.
+	OIDCRequestObjectModeUnknown OIDCRequestObjectMode = ""
+	// OIDCRequestObjectModeNone indicates that request objects should not be used. Parameters should be encoded
+	// into the URI of the authorization request.
+	OIDCRequestObjectModeNone OIDCRequestObjectMode = "none"
+	// OIDCRequestObjectModeSigned indicates that a signed (unencrypted) request object should be encoded into
+	// the URI of the authorization request.
+	OIDCRequestObjectModeSigned OIDCRequestObjectMode = "signed"
+)
+
 // SecondFactorType is the type of 2FA authentication.
 type SecondFactorType string
 

api/proto/teleport/legacy/types/types.proto

@@ -5136,6 +5136,10 @@ message OIDCConnectorSpecV3 {
   SSOClientRedirectSettings ClientRedirectSettings = 18 [(gogoproto.jsontag) = "client_redirect_settings,omitempty"];
   // MFASettings contains settings to enable SSO MFA checks through this auth connector.
   OIDCConnectorMFASettings MFASettings = 19 [(gogoproto.jsontag) = "mfa,omitempty"];
+  // RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization
+  // requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality
+  // for authorization request parameters.
+  string RequestObjectMode = 22 [(gogoproto.jsontag) = "request_object_mode,omitempty"];
 }
 
 // MaxAge allows the max_age parameter to be nullable to preserve backwards

api/types/oidc.go

@@ -19,7 +19,9 @@ package types
 import (
 	"net/netip"
 	"net/url"
+	"os"
 	"slices"
+	"strconv"
 	"strings"
 	"time"
 
@@ -115,6 +117,10 @@ type OIDCConnector interface {
 	IsMFAEnabled() bool
 	// WithMFASettings returns the connector will some settings overwritten set from MFA settings.
 	WithMFASettings() error
+	// GetRequestObjectMode will return the RequestObjectMode of the connector.
+	GetRequestObjectMode() constants.OIDCRequestObjectMode
+	// SetRequestObjectMode sets the RequestObjectMode of the connector.
+	SetRequestObjectMode(mode constants.OIDCRequestObjectMode)
 }
 
 // NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV3.
@@ -544,12 +550,29 @@ func (o *OIDCConnectorV3) WithMFASettings() error {
 	o.Spec.ClientSecret = o.Spec.MFASettings.ClientSecret
 	o.Spec.ACR = o.Spec.MFASettings.AcrValues
 	o.Spec.Prompt = o.Spec.MFASettings.Prompt
-	o.Spec.MaxAge = &MaxAge{
-		Value: o.Spec.MFASettings.MaxAge,
+	// In rare cases, some providers will complain about the presence of the 'max_age'
+	// parameter in auth requests. Provide users with a workaround to omit it.
+	omitMaxAge, _ := strconv.ParseBool(os.Getenv("TELEPORT_OIDC_OMIT_MFA_MAX_AGE"))
+	if omitMaxAge {
+		o.Spec.MaxAge = nil
+	} else {
+		o.Spec.MaxAge = &MaxAge{
+			Value: o.Spec.MFASettings.MaxAge,
+		}
 	}
 	return nil
 }
 
+// GetRequestObjectMode returns the configured OIDC request object mode.
+func (r *OIDCConnectorV3) GetRequestObjectMode() constants.OIDCRequestObjectMode {
+	return constants.OIDCRequestObjectMode(r.Spec.RequestObjectMode)
+}
+
+// SetRequestObjectMode sets the OIDC request object mode.
+func (r *OIDCConnectorV3) SetRequestObjectMode(mode constants.OIDCRequestObjectMode) {
+	r.Spec.RequestObjectMode = string(mode)
+}
+
 // Check returns nil if all parameters are great, err otherwise
 func (r *OIDCAuthRequest) Check() error {
 	switch {

docs/pages/reference/operator-resources/resources-teleport-dev-oidcconnectors.mdx

@@ -45,6 +45,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.|
 |provider|string|Provider is the external identity provider.|
 |redirect_url|[]string|RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.|
+|request_object_mode|string|RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.|
 |scope|[]string|Scope specifies additional scopes set by provider.|
 |username_claim|string|UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.|
 

docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx

@@ -47,6 +47,7 @@ Optional:
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.
 - `scope` (List of String) Scope specifies additional scopes set by provider.
 - `username_claim` (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.
 

docs/pages/reference/terraform-provider/resources/oidc_connector.mdx

@@ -77,6 +77,7 @@ Optional:
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.
 - `scope` (List of String) Scope specifies additional scopes set by provider.
 - `username_claim` (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.
 

examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml

@@ -170,6 +170,12 @@ spec:
                 items:
                   type: string
                 type: array
+              request_object_mode:
+                description: RequestObjectMode determines how JWT-Secured Authorization
+                  Requests will be used for authorization requests. JARs, or request
+                  objects, can provide integrity protection, source authentication,
+                  and confidentiality for authorization request parameters.
+                type: string
               scope:
                 description: Scope specifies additional scopes set by provider.
                 items:

integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml

@@ -170,6 +170,12 @@ spec:
                 items:
                   type: string
                 type: array
+              request_object_mode:
+                description: RequestObjectMode determines how JWT-Secured Authorization
+                  Requests will be used for authorization requests. JARs, or request
+                  objects, can provide integrity protection, source authentication,
+                  and confidentiality for authorization request parameters.
+                type: string
               scope:
                 description: Scope specifies additional scopes set by provider.
                 items:

lib/jwt/jwt.go

@@ -202,6 +202,28 @@ func AlgorithmForPublicKey(pub crypto.PublicKey) (jose.SignatureAlgorithm, error
 	return "", trace.BadParameter("unsupported public key type %T", pub)
 }
 
+// SigningKeyFromPrivateKey creates a jose.SigningKey from the given signer,
+// wrapping it in an opaque signer if necessary.
+func SigningKeyFromPrivateKey(priv crypto.Signer) (jose.SigningKey, error) {
+	// Create a signer with configured private key and algorithm.
+	var signer any
+	switch priv.(type) {
+	case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey:
+		signer = priv
+	default:
+		signer = cryptosigner.Opaque(priv)
+	}
+	algorithm, err := AlgorithmForPublicKey(priv.Public())
+	if err != nil {
+		return jose.SigningKey{}, trace.Wrap(err)
+	}
+
+	return jose.SigningKey{
+		Algorithm: algorithm,
+		Key:       signer,
+	}, nil
+}
+
 func (k *Key) Sign(p SignParams) (string, error) {
 	if err := p.Check(); err != nil {
 		return "", trace.Wrap(err)