Private Key JWT support in OmniAuth::Strategies::Auth0 #199
Description
Checklist
- I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
The Auth0 documentation recommends using Private Key JWT. https://auth0.com/docs/secure/application-credentials#client-secret-authentication
To improve your security posture, we recommend using the Private Key JWT authentication method.
The default authentication for Auth0 is client secret. The strategy provided by omniauth-auth0 only support client secret. It does not provide an option to use private key JWT or a separate strategy using private key JWT. Is there a reason private key JWT should not be used here?
Describe the ideal solution
Allow the OmniAuth::Strategies::Auth0 to be configured for client secret or private key JWT. Using private key JWT should not require providing a client secret.
Alternatives and current workarounds
Using OmniAuth::Strategies::Auth0 create a new strategy that only supports private key JWT. A few changes required to get authentication working.
Subclassing OmniAuth::Strategies::Auth0 and overriding methods as need was considered. The telemetry set by build_access_token is one obstacle. It would indicate the omniauth-auth0 gem was used which is not entirely accurate with an override.
Additional context
No response