OpenIdConnectConfigurationService.GetOpenIdConnectConfigurationAsync: missing support for JWK client secret

[millitza]

We try to upgrade to Duende.AccessTokenManagement v4, but experience problems in our client assertion flow.

We call OpenIdConnectConfigurationService.GetOpenIdConnectConfigurationAsync within our ClientAssertionService (extends IClientAssertionService).
Internally, this method calls ClientSecret.Parse(options.ClientSecret).
This parsing call throws an exception of type InvalidOperationException due to the length of the secret (>1024).
The secret is a JWK, which does not seem to be supported.

Did we set this up incorrectly, or is support for JWKs overlooked?

[wcabus]

In v4, some things have moved around, so your previous way to configure the client probably trips the new validation rule we have on the client secret.

In short, you should not set the ClientSecret property when configuring an OpenID Connect client using client assertion to authenticate. In the ClientAssertionService implementation, you still need to inject the JWK, but from configuration or a custom IOptions<...> instead of retrieving it from the OpenIdConnectOptions.ClientSecret property.

Here's a sample that shows this exact setup.

[millitza]

Thank you for the quick reply and useful link!