feat: JWT bearer assertions for client authentication (#566)

Co-authored-by: Kyle Mendell <ksm@ofkm.us>
Co-authored-by: Kyle Mendell <kmendell@ofkm.us>
Co-authored-by: Elias Schneider <login@eliasschneider.com>

backend/internal/dto/dto_mapper.go

@@ -62,7 +62,60 @@ func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
 	return nil
 }
 
+//nolint:gocognit
 func mapField(sourceField reflect.Value, destField reflect.Value) error {
+	// Handle pointer to struct in source
+	if sourceField.Kind() == reflect.Ptr && !sourceField.IsNil() {
+		switch {
+		case sourceField.Elem().Kind() == reflect.Struct:
+			switch {
+			case destField.Kind() == reflect.Struct:
+				// Map from pointer to struct -> struct
+				return mapStructInternal(sourceField.Elem(), destField)
+			case destField.Kind() == reflect.Ptr && destField.CanSet():
+				// Map from pointer to struct -> pointer to struct
+				if destField.IsNil() {
+					destField.Set(reflect.New(destField.Type().Elem()))
+				}
+				return mapStructInternal(sourceField.Elem(), destField.Elem())
+			}
+		case destField.Kind() == reflect.Ptr &&
+			destField.CanSet() &&
+			sourceField.Elem().Type().AssignableTo(destField.Type().Elem()):
+			// Handle primitive pointer types (e.g., *string to *string)
+			if destField.IsNil() {
+				destField.Set(reflect.New(destField.Type().Elem()))
+			}
+			destField.Elem().Set(sourceField.Elem())
+			return nil
+		case destField.Kind() != reflect.Ptr &&
+			destField.CanSet() &&
+			sourceField.Elem().Type().AssignableTo(destField.Type()):
+			// Handle *T to T conversion for primitive types
+			destField.Set(sourceField.Elem())
+			return nil
+		}
+	}
+
+	// Handle pointer to struct in destination
+	if destField.Kind() == reflect.Ptr && destField.CanSet() {
+		switch {
+		case sourceField.Kind() == reflect.Struct:
+			// Map from struct -> pointer to struct
+			if destField.IsNil() {
+				destField.Set(reflect.New(destField.Type().Elem()))
+			}
+			return mapStructInternal(sourceField, destField.Elem())
+		case !sourceField.IsZero() && sourceField.Type().AssignableTo(destField.Type().Elem()):
+			// Handle T to *T conversion for primitive types
+			if destField.IsNil() {
+				destField.Set(reflect.New(destField.Type().Elem()))
+			}
+			destField.Elem().Set(sourceField)
+			return nil
+		}
+	}
+
 	switch {
 	case sourceField.Type() == destField.Type():
 		destField.Set(sourceField)

backend/internal/dto/oidc_dto.go

@@ -8,10 +8,11 @@ type OidcClientMetaDataDto struct {
 
 type OidcClientDto struct {
 	OidcClientMetaDataDto
-	CallbackURLs       []string `json:"callbackURLs"`
-	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
-	IsPublic           bool     `json:"isPublic"`
-	PkceEnabled        bool     `json:"pkceEnabled"`
+	CallbackURLs       []string                 `json:"callbackURLs"`
+	LogoutCallbackURLs []string                 `json:"logoutCallbackURLs"`
+	IsPublic           bool                     `json:"isPublic"`
+	PkceEnabled        bool                     `json:"pkceEnabled"`
+	Credentials        OidcClientCredentialsDto `json:"credentials"`
 }
 
 type OidcClientWithAllowedUserGroupsDto struct {
@@ -25,11 +26,23 @@ type OidcClientWithAllowedGroupsCountDto struct {
 }
 
 type OidcClientCreateDto struct {
-	Name               string   `json:"name" binding:"required,max=50"`
-	CallbackURLs       []string `json:"callbackURLs"`
-	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
-	IsPublic           bool     `json:"isPublic"`
-	PkceEnabled        bool     `json:"pkceEnabled"`
+	Name               string                   `json:"name" binding:"required,max=50"`
+	CallbackURLs       []string                 `json:"callbackURLs"`
+	LogoutCallbackURLs []string                 `json:"logoutCallbackURLs"`
+	IsPublic           bool                     `json:"isPublic"`
+	PkceEnabled        bool                     `json:"pkceEnabled"`
+	Credentials        OidcClientCredentialsDto `json:"credentials"`
+}
+
+type OidcClientCredentialsDto struct {
+	FederatedIdentities []OidcClientFederatedIdentityDto `json:"federatedIdentities,omitempty"`
+}
+
+type OidcClientFederatedIdentityDto struct {
+	Issuer   string `json:"issuer"`
+	Subject  string `json:"subject,omitempty"`
+	Audience string `json:"audience,omitempty"`
+	JWKS     string `json:"jwks,omitempty"`
 }
 
 type AuthorizeOidcClientRequestDto struct {
@@ -52,13 +65,15 @@ type AuthorizationRequiredDto struct {
 }
 
 type OidcCreateTokensDto struct {
-	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code"`
-	DeviceCode   string `form:"device_code"`
-	ClientID     string `form:"client_id"`
-	ClientSecret string `form:"client_secret"`
-	CodeVerifier string `form:"code_verifier"`
-	RefreshToken string `form:"refresh_token"`
+	GrantType           string `form:"grant_type" binding:"required"`
+	Code                string `form:"code"`
+	DeviceCode          string `form:"device_code"`
+	ClientID            string `form:"client_id"`
+	ClientSecret        string `form:"client_secret"`
+	CodeVerifier        string `form:"code_verifier"`
+	RefreshToken        string `form:"refresh_token"`
+	ClientAssertion     string `form:"client_assertion"`
+	ClientAssertionType string `form:"client_assertion_type"`
 }
 
 type OidcIntrospectDto struct {