feat(auth): WIF JWT-bearer scenario and negative tests (SEP-1933)#269
Closed
coding-bobo wants to merge 3 commits into
Closed
feat(auth): WIF JWT-bearer scenario and negative tests (SEP-1933)#269coding-bobo wants to merge 3 commits into
coding-bobo wants to merge 3 commits into
Conversation
Adds createWorkloadJwt and generateWorkloadKeypair to provide reusable, tested JWT signing infrastructure for the upcoming wif-jwt-bearer scenario (PR modelcontextprotocol#2). Also extracts JWT_BEARER_GRANT_TYPE constant and migrates cross-app-access.ts to use it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the auth/wif-jwt-bearer client conformance scenario using the RFC 7523 JWT-bearer grant (urn:ietf:params:oauth:grant-type:jwt-bearer). The scenario pre-signs valid, wrong-audience, and expired JWTs on start() to simulate cloud workload identity tokens. The conformance AS verifies the assertion and emits per-class checks (wif-assertion-verified, wif-assertion-missing, wif-assertion-audience, wif-assertion-expired, wif-assertion-malformed). Broken example clients exercise the missing-assertion and wrong-audience failure paths. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Author
|
Reopening with correct base branch (stacked on #268) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Implements client conformance for Workload Identity Federation (SEP-1933, RFC 7523 §2.1) — the second of two PRs for issue #223.
Depends on #268 (JWT signing helper). Once #268 merges this will be rebased on
main; the diff currently includes both.What this adds
auth/wif-jwt-bearerscenario (src/scenarios/client/auth/wif-jwt-bearer.ts):start()call (simulates a workload OIDC IdP)valid_jwt,wrong_audience_jwt,expired_jwtgrant_types: [jwt-bearer]andtoken_endpoint_auth_method: noneassertionparameter and emits per-class checks:wif-grant-type— rejects unexpected grant typeswif-assertion-missing— rejects requests withoutassertionwif-assertion-expired— rejects expired JWTs (jose.errors.JWTExpired)wif-assertion-audience— rejects wrongaud(JWTClaimValidationFailedwithclaim === 'aud')wif-assertion-malformed— rejects invalid signatures and other claim failureswif-assertion-verified— successWifJwtBearerProviderineverything-client.ts:OAuthClientProviderwithprepareTokenRequest()returninggrant_type=jwt-bearer&assertion=<jwt>nullas assertion deliberately omits the parameter (for the missing-assertion negative test)clientMetadata.grant_types: [JWT_BEARER_GRANT_TYPE]so DCR advertises the grantNegative clients:
auth-test-wif-wrong-audience.ts— presentswrong_audience_jwt, triggerswif-assertion-audienceauth-test-wif-no-assertion.ts— omitsassertion, triggerswif-assertion-missingSchema and spec refs:
src/schemas/context.ts— addsauth/wif-jwt-bearerdiscriminated union variantsrc/scenarios/client/auth/spec-references.ts— addsSEP_1933_WIFTesting
npx vitest run src/scenarios/client/auth/index.test.ts— 33 tests pass (13 new: extension scenario loop + 2 WIF negative tests)npx vitest run— 137 tests pass, no regressionsnpm run typecheck— cleannpm run build— cleanwif-*checks areSUCCESSCloses
Part of #223 (WIF client conformance, SEP-1933). Depends on #268.