{"id":20844525,"url":"https://github.com/pushpabrol/pk_jwt_token_wrapper","last_synced_at":"2025-10-26T01:36:44.811Z","repository":{"id":194394528,"uuid":"690735631","full_name":"pushpabrol/pk_jwt_token_wrapper","owner":"pushpabrol","description":null,"archived":false,"fork":false,"pushed_at":"2023-09-19T22:37:49.000Z","size":54,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-12T11:17:07.149Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://pk-jwt-proxy.vercel.app","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pushpabrol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-12T19:11:34.000Z","updated_at":"2023-09-27T15:53:39.000Z","dependencies_parsed_at":"2025-01-19T04:33:55.154Z","dependency_job_id":"31378830-a0bc-43cf-8ada-47132e825b18","html_url":"https://github.com/pushpabrol/pk_jwt_token_wrapper","commit_stats":null,"previous_names":["pushpabrol/pk_jwt_proxy","pushpabrol/pk_jwt_token_wrapper"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/pushpabrol/pk_jwt_token_wrapper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pushpabrol%2Fpk_jwt_token_wrapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pushpabrol%2Fpk_jwt_token_wrapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pushpabrol%2Fpk_jwt_token_wrapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pushpabrol%2Fpk_jwt_token_wrapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pushpabrol","download_url":"https://codeload.github.com/pushpabrol/pk_jwt_token_wrapper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pushpabrol%2Fpk_jwt_token_wrapper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281047794,"owners_count":26435124,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-25T02:00:06.499Z","response_time":81,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-18T02:09:52.720Z","updated_at":"2025-10-26T01:36:44.757Z","avatar_url":"https://github.com/pushpabrol.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Token Endpoint Wrapper for Private Key JWT Client Authentication\n\nThis repository contains a Node.js-based Token Endpoint Wrapper for Private Key JWT assertion to be used as part of an auth0 OIDC connection for an IDP that requires client authentication on token endpoint via private_key_jwt\n\n## Prerequisites\n\nBefore running this server, you should have the following prerequisites installed and configured:\n\n1. Node.js: Make sure you have Node.js installed on your system. You can download it from [nodejs.org](https://nodejs.org/).\n\n2. Environment Variables: Create a `.env` file in the root directory of this project and configure the required environment variables. Refer to the [Configuration](#configuration) section for details on the environment variables.\n\n## Installation\n\n1. Clone/Copy this repository to your local github\n\n## Usage\n\nThis sample is setup to run on vercel. The `vercel.json` file sets up deployment into vercel. Follow the options within your vercel dashboard to install this and check the Configuration section below to setup the ENV variables in vercel. \n\n\n\n## Endpoints\n\n### 1. `/token` (POST)\n\nThis endpoint is used as a wrapper on your IDPs token endpoint. Clients can send a request to exchange an authorization code for access tokens. The server will validate the request and, if valid, return the tokens.\n\nExample Request:\n```json\nPOST /token\n\n{\n  \"client_id\": \"your-client-id\",\n  \"code\": \"authorization-code\",\n  \"redirect_uri\": \"https://your-redirect-uri\",\n  \"code_verifier\": \"code-verifier\",\n  \"client_secret\": \"your-client-secret\"\n}\n```\n\n### 2. `/.well-known/keys` (GET)\n\nThis endpoint provides the public keys for client authentication. It's used by the IDP to verify client assertions. In this example it has keys for both RS256 and RS512.\n\nExample Request:\n```json\nGET /.well-known/keys\n\n```\n\n### 3. `/intermediary.jwks` (GET)\n\nThis endpoint provides the public keys for the Auth0 Connection to use as the JWKS endpoint. Since the IDP is sending a token signed with RS512 the wrapper verifies the tokens, makes all the checks etc and then creates a new token signed with RS256. To verify this token auth0 needs a jwks and this url provides that. We will also update the connection to use this as the JWKs instead of the one provided by the IDP\n\nExample Request:\n```json\nGET /intermediary.jwks\n\n```\n\n## Configuration\n\nBefore running the server, configure the required environment variables in the `.env` file or in vercel. Here are the environment variables you need to set:\n\n- `RP_ID` - \u003cClient_id from the IDP\u003e\n- `A0_CLIENT_SECRET` - \u003ca client secret you use in the token wrapper to make sure its only called from auth0 ( shared secret with auth0)\u003e\n- `RP_PRIVATE_KEY_RS256` - \"pkcs8 formattted private key - RS256\"\n- `RP_PRIVATE_KEY_RS512` - \"pkcs8 formattted private key - RS512\"\n- `RP_KID_RS256` - \u003ckid for RS256\u003e\n- `RP_KID_RS512` - \u003ckid for RS512\u003e\n- `IDP_DOMAIN` - domain of your IDP\n- `IDP_TOKEN_ENDPOINT` - path of your IDP's token endpoint relative to the domains based url - /token\n- `IDP_TOKEN_SIGNING_ALG` - Algorithm used by the IDP to sign the id_token\n- `RP_CLIENT_ASSERTION_SIGNING_ALG` - Algorithm used by the RP/this wrapper to sign the client authentication assertion\n- `DEBUG` - false or true\n- `INTERMEDIARY_PRIVATE_KEY` - \"pkcs8 formattted private key - RS256, used by the wrapper to sign the token with RS256 for auth0 connection\"\n- `INTERMEDIARY_KEY_KID` - \"kid for RS256 intermediary\"\n- `INTERMEDIARY_SIGNING_ALG` - RS256 \u003cfor auth0 this is RS256\u003e\n- `IDP_JWKS_ENDPOINT` - path of your IDP jwks endpoint relative to the domains based url - /.well-known/jwks.json\n\n\nEnsure that the `RP_PRIVATE_KEY_RS256` and/or `RP_PRIVATE_KEY_RS512` `INTERMEDIARY_PRIVATE_KEY` `INTERMEDIARY_KEY_KID` and `RP_CLIENT_ASSERTION_SIGNING_ALG`  environment variables are set according to your private key and algorithm used for generating client assertions.\n\nEnsure that the `IDP_TOKEN_SIGNING_ALG` is set to what matches the IDP uses for signing the id_token\n\nIn the env file the `RP_PRIVATE_KEY_RS256` or `RP_PRIVATE_KEY_RS512` is the PKCS8 formatted Private key with newlines replaced with `\\n` . Example ....-----BEGIN PRIVATE KEY-----\\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC1dsvQ6S79NM+U\\n...gEFVWzotcHeRbyso8nNEeF10JBPY2qvNOveLsV9WFQhwG6+vFtski1VpjYpucjaN\\nadx4UD2Hw8MYvwdkG7BpFA==\\n-----END PRIVATE KEY-----\\n\n\nThe `spkis/relyingPartyJWKS.json` file contains the public key(s) in jwks format that gets exposed as /.well-known/keys for the IDP to use for client assertion verification. If your IDP uses `jwks_uri` for client assertion validation this url can be used or else you can share the public key with them based on that jwks in this file. Make sure you set the contents of this file based on the public keys you have for client asertion validation by the IDP\n\nThe `spkis/intermediaryJWKS.json` file contains the public key(s) in jwks format that gets exposed as `/intermediary.jwks` for Auth0 to use for token verification of the RS256 token created in the wrapper\n\n## Use in Auth0 connection ( Example)\n\nCreate a connection in auth0 using the Auth0 management API \n\nAssume your IDP's url is https://idp.com\n\n```\n{\n  \"options\": {\n    \"type\": \"back_channel\",\n    \"scope\": \"openid profile email\",\n    \"issuer\": \"https://idp.com\",\n    \"jwks_uri\": \"https://\u003cyour token wrapper's domain\u003e/intermediary.jwks\",\n    \"client_id\": \"client_pk_kwt\",\n    \"attribute_map\": {\n      \"mapping_mode\": \"bind_all\"\n    },\n    \"client_secret\": \"e7b613fc-68df-480c-855b-e6ae8b15e44d\",\n    \"schema_version\": \"openid-1.0.0\",\n    \"token_endpoint\": \"https://\u003cyour token wrapper's domain\u003e/token\",\n    \"userinfo_endpoint\": \"https://idp.com/me\",\n    \"connection_settings\": {\n      \"pkce\": \"auto\"\n    },\n    \"authorization_endpoint\": \"https://idp.com/auth\"\n  },\n  \"strategy\": \"oidc\",\n  \"name\": \"\u003cyour connection's name in auth0\u003e\",\n  \"is_domain_connection\": false,\n  \"show_as_button\": false,\n  \"display_name\": \"\u003cyour connection's display name in auth0\u003e\",\n  \"enabled_clients\": [\n    \"\u003cclient for which this connection is enabled\u003e(optional)\"\n  ]\n}\n```\n\n\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpushpabrol%2Fpk_jwt_token_wrapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpushpabrol%2Fpk_jwt_token_wrapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpushpabrol%2Fpk_jwt_token_wrapper/lists"}