feat(oidc): client authentication modes (#5150)

This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors.

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>

1 files changed, 7 insertions, 3 deletions

diff --git a/internal/oidc/const.go b/internal/oidc/const.go
index db8c3a23d..01670e317 100644
--- a/internal/oidc/const.go
+++ b/internal/oidc/const.go
@@ -69,15 +69,12 @@ const (
 	GrantTypeImplicit          = implicit
 	GrantTypeRefreshToken      = "refresh_token"
 	GrantTypeAuthorizationCode = "authorization_code"
-	GrantTypePassword          = "password"
-	GrantTypeClientCredentials = "client_credentials"
 )
 
 // Client Auth Method strings.
 const (
 	ClientAuthMethodClientSecretBasic = "client_secret_basic"
 	ClientAuthMethodClientSecretPost  = "client_secret_post"
-	ClientAuthMethodClientSecretJWT   = "client_secret_jwt"
 	ClientAuthMethodNone              = "none"
 )
 
@@ -117,6 +114,13 @@ const (
 	FormParameterCodeChallengeMethod = "code_challenge_method"
 )
 
+const (
+	PromptNone    = none
+	PromptLogin   = "login"
+	PromptConsent = "consent"
+	// PromptCreate  = "create" // This prompt value is currently unused.
+)
+
 // Endpoints.
 const (
 	EndpointAuthorization              = "authorization"