[PR #5260] auth/oidc: Add support for static JWKS and PEM key verification in OIDC #5210

New issue

Open

opened 2026-05-05 14:56:46 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented 2026-05-05 14:56:46 -06:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5260
Author: @johnvox
Created: 3/23/2026
Status: 🔄 Open

Base: dev ← Head: feat/oidc-key-based

---

📝 Commits (7)

• 313bb11 feat: Support for static oidc keys
• 086db93 fix: fix decode pub key
• 9199c69 feat: refactor and add test
• 255249d fix: address lint issues
• f666c99 Handle nil JWKS in DecodeJWKS function
• 05c5fa2 Merge branch 'dev' into feat/oidc-key-based
• 6a7ed23 feat: add test with empty public key

📊 Changes

16 files changed (+690 additions, -1 deletions)

View changed files

📝 pkg/auth/oidc.go (+42 -1)
📝 pkg/auth/oidc_test.go (+260 -0)
➕ pkg/auth/testSample/jwks_multiple.json (+20 -0)
➕ pkg/auth/testSample/jwks_single.json (+12 -0)
➕ pkg/auth/testSample/pem_multiple.pem (+12 -0)
➕ pkg/auth/testSample/pem_single.pem (+6 -0)
➕ pkg/auth/testSample/pki.json (+32 -0)
➕ pkg/auth/testSample/pki/ca.key (+28 -0)
➕ pkg/auth/testSample/pki/ca.pem (+21 -0)
➕ pkg/auth/testSample/pki/server.csr (+16 -0)
➕ pkg/auth/testSample/pki/server.full.pem (+42 -0)
➕ pkg/auth/testSample/pki/server.key (+28 -0)
➕ pkg/auth/testSample/pki/server.pem (+21 -0)
➕ pkg/auth/utils.go (+62 -0)
➕ pkg/auth/utils_test.go (+78 -0)
📝 pkg/config/v1/server.go (+10 -0)

📄 Description

WHY

This PR introduces support for static key verification in the OIDC authentication flow, allowing the use of JWKS (JSON Web Key Set) and PEM-encoded certificates/public keys as alternatives to dynamic OIDC provider-based verification.

Enables OIDC token verification in offline or restricted environments.

New Configuration:

• Added AuthOIDCIssuer struct to support static key configuration via:
  • Inline JWKS (JWKS).
  • JWKS file path (JWKSFile).
  • PEM file path (CertificatesFile).

Here Config Snippet used during dev

# frpc.toml
serverAddr = "127.0.0.1"
serverPort = 7000

[log]
disablePrintColor = true

[auth]
method = "oidc"

[auth.oidc.tokenSource]
type = "file"

  [auth.oidc.tokenSource.file]
  path = "/var/run/secrets/kubernetes.io/serviceaccount/token"

# frps.toml
bindPort = 7000
kcpBindPort = 7000

[log]
disablePrintColor = true
level = "trace"

[auth]
method = "oidc"

  [auth.oidc]
  audience = "k3s"
  issuer = "https://kubernetes.default.svc.cluster.local"

    [auth.oidc.issuerSpec]
    # pemFile = "/home/jynolen/oss/frp/dist/ca.crt"
    # jwksFile = "/home/jynolen/oss/frp/dist/jwks.json"

[[auth.oidc.issuerSpec.jwks.keys]]
use = "sig"
kty = "RSA"
kid = "00000000-0000-0000-0000-000000000000"
alg = "RS256"
n = "tgguCdoYMBpTNREKeRIAQ-kMVTRtpofs5mveaUAmCnDkKYzIWBXyRNoCiB5RVshB1fYAVACohnidsXX1r2407sD7CQIYxsb3p8hu8dHfBILFdGBViYJD6vGBH6JW13M_giyjj1U0qiiOq7mxw8UhKdK_TAqzTizQkhAM5lkas2GyTwONXhMMdHI2y9wdZ1zhgQZ_IYfote-PScW_IZt_F21kW258UXldEb1d5s9zS3ewkvhuGolR8uTz_FvJ_-whpsuhbZT9Psqd64eEtej2-Prbzm-zO2OzBLTpt_jjnkpSz80J4DrfLTD3pbxYOK9AsrxIXkTepp-8RSW_s4_Q1w"
e = "AQAB"

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5260 **Author:** [@johnvox](https://github.com/johnvox) **Created:** 3/23/2026 **Status:** 🔄 Open **Base:** `dev` ← **Head:** `feat/oidc-key-based` --- ### 📝 Commits (7) - [`313bb11`](https://github.com/fatedier/frp/commit/313bb11df669ee62156e3fbb7fba1563b6b887be) feat: Support for static oidc keys - [`086db93`](https://github.com/fatedier/frp/commit/086db93ec4e776cef82ec76375d41b349e1e8cc9) fix: fix decode pub key - [`9199c69`](https://github.com/fatedier/frp/commit/9199c69e384501ab2e1851d6dec2345324119f18) feat: refactor and add test - [`255249d`](https://github.com/fatedier/frp/commit/255249d8a24cdded9bc5387f8c2635a424248438) fix: address lint issues - [`f666c99`](https://github.com/fatedier/frp/commit/f666c9955b1096ef22aeb6611c961af3482d2aa8) Handle nil JWKS in DecodeJWKS function - [`05c5fa2`](https://github.com/fatedier/frp/commit/05c5fa2285256009fd21de7c71ffb6c6adabde8d) Merge branch 'dev' into feat/oidc-key-based - [`6a7ed23`](https://github.com/fatedier/frp/commit/6a7ed23ab2b6b5c27538456f17819b9bbbc7e852) feat: add test with empty public key ### 📊 Changes **16 files changed** (+690 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `pkg/auth/oidc.go` (+42 -1) 📝 `pkg/auth/oidc_test.go` (+260 -0) ➕ `pkg/auth/testSample/jwks_multiple.json` (+20 -0) ➕ `pkg/auth/testSample/jwks_single.json` (+12 -0) ➕ `pkg/auth/testSample/pem_multiple.pem` (+12 -0) ➕ `pkg/auth/testSample/pem_single.pem` (+6 -0) ➕ `pkg/auth/testSample/pki.json` (+32 -0) ➕ `pkg/auth/testSample/pki/ca.key` (+28 -0) ➕ `pkg/auth/testSample/pki/ca.pem` (+21 -0) ➕ `pkg/auth/testSample/pki/server.csr` (+16 -0) ➕ `pkg/auth/testSample/pki/server.full.pem` (+42 -0) ➕ `pkg/auth/testSample/pki/server.key` (+28 -0) ➕ `pkg/auth/testSample/pki/server.pem` (+21 -0) ➕ `pkg/auth/utils.go` (+62 -0) ➕ `pkg/auth/utils_test.go` (+78 -0) 📝 `pkg/config/v1/server.go` (+10 -0) </details> ### 📄 Description ### WHY This PR introduces support for static key verification in the OIDC authentication flow, allowing the use of JWKS (JSON Web Key Set) and PEM-encoded certificates/public keys as alternatives to dynamic OIDC provider-based verification. Enables OIDC token verification in offline or restricted environments. New Configuration: - Added AuthOIDCIssuer struct to support static key configuration via: - Inline JWKS (JWKS). - JWKS file path (JWKSFile). - PEM file path (CertificatesFile). Here Config Snippet used during dev ```toml # frpc.toml serverAddr = "127.0.0.1" serverPort = 7000 [log] disablePrintColor = true [auth] method = "oidc" [auth.oidc.tokenSource] type = "file" [auth.oidc.tokenSource.file] path = "/var/run/secrets/kubernetes.io/serviceaccount/token" ``` ```toml # frps.toml bindPort = 7000 kcpBindPort = 7000 [log] disablePrintColor = true level = "trace" [auth] method = "oidc" [auth.oidc] audience = "k3s" issuer = "https://kubernetes.default.svc.cluster.local" [auth.oidc.issuerSpec] # pemFile = "/home/jynolen/oss/frp/dist/ca.crt" # jwksFile = "/home/jynolen/oss/frp/dist/jwks.json" [[auth.oidc.issuerSpec.jwks.keys]] use = "sig" kty = "RSA" kid = "00000000-0000-0000-0000-000000000000" alg = "RS256" n = "tgguCdoYMBpTNREKeRIAQ-kMVTRtpofs5mveaUAmCnDkKYzIWBXyRNoCiB5RVshB1fYAVACohnidsXX1r2407sD7CQIYxsb3p8hu8dHfBILFdGBViYJD6vGBH6JW13M_giyjj1U0qiiOq7mxw8UhKdK_TAqzTizQkhAM5lkas2GyTwONXhMMdHI2y9wdZ1zhgQZ_IYfote-PScW_IZt_F21kW258UXldEb1d5s9zS3ewkvhuGolR8uTz_FvJ_-whpsuhbZT9Psqd64eEtej2-Prbzm-zO2OzBLTpt_jjnkpSz80J4DrfLTD3pbxYOK9AsrxIXkTepp-8RSW_s4_Q1w" e = "AQAB" ``` --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

gitea-mirror added the

pull-request

label 2026-05-05 14:56:46 -06:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#5210

No description provided.