Support OAuth2 with JSON Web Token

[LorenzoLeonardo]

Don't we support urn:ietf:params:oauth:grant-type:jwt-bearer in getting an access token?

[marcel-hamer]

I have done a first setup in this commit fork that I have tested against Keycloak successfully.

I am unsure if this needs more work for other use cases.

[seanpianka]

Is this fork safe to merge into the mainline? I'm interested in using this for Apple SSO

[fiadliel]

Just to note, I think this implements §2.2 of RFC 7523, but not §2.1 (which requires a new grant type).

[seanpianka]

I will do what I can by forking and modifying it on my own to support that section... trying to avoid handrolling an oauth2 implementation if possible for Apple's SSO!

[seanpianka]

Apple's SSO seemed to only require a dynamic client_secret, as described in their docs here. I've essentially just added a step before requesting an access token in my own codebase that generates this JWT using jwt-simple, then overwrite the client secret with that value.

[ramosbugs]

JWTs add significant complexity that I would like to avoid in this crate. See earlier comment. Just as I implemented OpenID Connect in a separate crate on top of this one, I think RFC 7523 is complex enough to merit its own crate (maintained by someone else).

If there are API changes needed to this crate in order to be able to build that separate crate (e.g., stuff like add_extra_param), I'd be happy to discuss those.

[marcel-hamer]

For me it works fine setting the client_assertion and client_assertion_type through the add_extra_param() function. I have only used and tested §2.2 of RFC 7523 for now.