github-starred/yaak
2
0
Fork 0
mirror of https://github.com/mountain-loop/yaak.git synced 2026-05-07 02:21:59 -05:00
Code Issues 71 Packages Projects Releases 101 Wiki Activity

[PR #395] [MERGED] Add support for client assertions in the OAuth 2 plugin #1585

New Issue
Closed
opened 2026-05-06 19:37:53 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 19:37:53 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/395
Author: @DavideBecker
Created: 2/14/2026
Status: Merged
Merged: 2/14/2026
Merged by: @gschier

Base: mainHead: main

📝 Commits (4)

  • 89e0669 Add support for client assertions in the OAuth 2 plugin
  • 2435473 Just to be sure, make accessing jwk.kid safer in case it doesn't exist
  • 50d0238 typo
  • 17b6c2d Improve OAuth2 client assertion types and UX. Fix nested input visibility in DynamicForm.

📊 Changes

5 files changed (+256 additions, -30 deletions)

View changed files

📝 plugins/auth-oauth2/package.json (+6 -0)
📝 plugins/auth-oauth2/src/fetchAccessToken.ts (+23 -17)
📝 plugins/auth-oauth2/src/grants/clientCredentials.ts (+124 -4)
📝 plugins/auth-oauth2/src/index.ts (+91 -8)
📝 src-web/components/DynamicForm.tsx (+12 -1)

📄 Description

This PR adds support for client assertions in the OAuth 2 plugin. As an alternative to sending a static client_secret, this allows to send a client_assertion that is a signed JWT.

Full disclaimer: I've only tried this with a single algorithm + secret + auth provider combination, since that's the only one I currently have access to. After I had a working version with my testcase I asked Claude Opus 4.6 to add functionality that matches the RFC spec. This mostly added support for other secret types (HMAC & PEM):

  if (isHmac) {
    // HMAC algorithms use the raw secret (string or Buffer)
    signingKey = secret;
  } else if (trimmed.startsWith('{')) {
    // Looks like JSON - treat as JWK. There is surely a better way to detect JWK vs a raw secret, but this should work in most cases.
    let jwk: any;
    try {
      jwk = JSON.parse(trimmed);
    } catch {
      throw new Error('Client Assertion secret looks like JSON but is not valid');
    }

    kid = jwk.kid;
    signingKey = createPrivateKey({ key: jwk, format: 'jwk' });
  } else if (trimmed.startsWith('-----')) {
    // PEM-encoded key
    signingKey = createPrivateKey({ key: trimmed, format: 'pem' });
  } else {
    throw new Error(
      'Client Assertion secret must be a JWK JSON object, a PEM-encoded key ' +
        '(starting with -----), or a raw secret for HMAC algorithms.',
    );
  }

However, this part is untested. I also don't have an OAuth provider with basic client_id / client_secret combination at hand right now. I was careful to keep the existing functionality the same, I would appreciate someone testing this first to be sure.

I also noticed when running npm run format that it changed a few lines I did not touch.

Closes https://yaak.app/feedback/posts/support-for-oauth-2-client-assertions-jwks

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/395 **Author:** [@DavideBecker](https://github.com/DavideBecker) **Created:** 2/14/2026 **Status:** ✅ Merged **Merged:** 2/14/2026 **Merged by:** [@gschier](https://github.com/gschier) **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (4) - [`89e0669`](https://github.com/mountain-loop/yaak/commit/89e0669f54927eb9b781a0d28ac1f0b9415753bf) Add support for client assertions in the OAuth 2 plugin - [`2435473`](https://github.com/mountain-loop/yaak/commit/24354733f2eba53db9de8fee21c75a9298c5de87) Just to be sure, make accessing jwk.kid safer in case it doesn't exist - [`50d0238`](https://github.com/mountain-loop/yaak/commit/50d02385a3631f983b2e677ecc49452d9e0a637f) typo - [`17b6c2d`](https://github.com/mountain-loop/yaak/commit/17b6c2dbee652d7e1c10c2e77bdc7ada7e9bc389) Improve OAuth2 client assertion types and UX. Fix nested input visibility in DynamicForm. ### 📊 Changes **5 files changed** (+256 additions, -30 deletions) <details> <summary>View changed files</summary> 📝 `plugins/auth-oauth2/package.json` (+6 -0) 📝 `plugins/auth-oauth2/src/fetchAccessToken.ts` (+23 -17) 📝 `plugins/auth-oauth2/src/grants/clientCredentials.ts` (+124 -4) 📝 `plugins/auth-oauth2/src/index.ts` (+91 -8) 📝 `src-web/components/DynamicForm.tsx` (+12 -1) </details> ### 📄 Description This PR adds support for client assertions in the OAuth 2 plugin. As an alternative to sending a static `client_secret`, this allows to send a `client_assertion` that is a signed JWT. Full disclaimer: I've only tried this with a single algorithm + secret + auth provider combination, since that's the only one I currently have access to. After I had a working version with my testcase I asked Claude Opus 4.6 to add functionality that matches the RFC spec. This mostly added support for other secret types (HMAC & PEM): ```typescript if (isHmac) { // HMAC algorithms use the raw secret (string or Buffer) signingKey = secret; } else if (trimmed.startsWith('{')) { // Looks like JSON - treat as JWK. There is surely a better way to detect JWK vs a raw secret, but this should work in most cases. let jwk: any; try { jwk = JSON.parse(trimmed); } catch { throw new Error('Client Assertion secret looks like JSON but is not valid'); } kid = jwk.kid; signingKey = createPrivateKey({ key: jwk, format: 'jwk' }); } else if (trimmed.startsWith('-----')) { // PEM-encoded key signingKey = createPrivateKey({ key: trimmed, format: 'pem' }); } else { throw new Error( 'Client Assertion secret must be a JWK JSON object, a PEM-encoded key ' + '(starting with -----), or a raw secret for HMAC algorithms.', ); } ``` However, this part is untested. I also don't have an OAuth provider with basic client_id / client_secret combination at hand right now. I was careful to keep the existing functionality the same, I would appreciate someone testing this first to be sure. I also noticed when running `npm run format` that it changed a few lines I did not touch. Closes https://yaak.app/feedback/posts/support-for-oauth-2-client-assertions-jwks --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 19:37:53 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/yaak#1585
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?