Skip to content

feat: add private_key_jwt client authentication support and abp generate-jwks CLI command#25068

Merged
EngincanV merged 12 commits into
devfrom
private_key_jwt
Mar 12, 2026
Merged

feat: add private_key_jwt client authentication support and abp generate-jwks CLI command#25068
EngincanV merged 12 commits into
devfrom
private_key_jwt

Conversation

@maliming

@maliming maliming commented Mar 11, 2026
edited
Loading

Copy link
Copy Markdown
Member

Companion PR (management UI): volosoft/volo#21892

Adds private_key_jwt client authentication tooling and demo to the open-source ABP repo:

  • New abp generate-jwks CLI command to generate an RSA key pair as JWKS (public) + PKCS#8 PEM (private)
  • Updates OpenIddict demo server to seed a private_key_jwt-enabled application using the generated JWKS
  • Updates OpenIddict demo console client to authenticate via a signed client assertion JWT
  • Documentation for the generate-jwks CLI command
  • Bumps Microsoft.IdentityModel.* packages to 8.16.0

Community article: https://github.com/abpframework/abp/blob/dev/docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt/POST.md

@maliming maliming added this to the 10.3-preview milestone Mar 11, 2026
@maliming
chore: upgrade Microsoft.IdentityModel packages from 8.14.0 to 8.16.0
dc195e2 
OpenIddict.Abstractions 7.3.0 requires Microsoft.IdentityModel.Tokens >= 8.16.0
@maliming maliming marked this pull request as ready for review March 12, 2026 04:58
Copilot AI review requested due to automatic review settings March 12, 2026 04:58
@maliming maliming added the dependency-change Indicates a version change of a dependency (typically, upgrade) label Mar 12, 2026
Copilot AI reviewed Mar 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a JWKS-based private_key_jwt demo flow for OpenIddict (server seeds an app with a JWKS public key; console client signs a client assertion with a matching private key) and introduces an ABP CLI command to generate JWKS/private key material. The PR also removes a large set of vendored frontend library assets from the demo server’s wwwroot.

Changes:

  • Add abp generate-jwks CLI command + documentation to generate an RSA JWKS (public) and PEM (private) for private_key_jwt.
  • Update OpenIddict demo server seeding and console client to demonstrate private_key_jwt using the generated keys.
  • Remove multiple vendored JS/CSS assets from the demo server wwwroot/libs.

Reviewed changes

Copilot reviewed 88 out of 565 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_pt.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_nl.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_it.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_fi.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_es_CL.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/methods_de.js Removed vendored jQuery Validation “methods” locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_zh_TW.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_zh.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_vi.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ur.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_uk.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_tr.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_tj.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_th.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sv.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sr_lat.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sr.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sl.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sk.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_si.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_sd.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ru.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ro.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_pt_PT.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_pt_BR.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_pl.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_no.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_nl.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_my.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_mk.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_lv.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_lt.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ko.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_kk.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ka.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ja.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_it.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_is.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_id.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_hy_AM.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_hu.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_hr.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_he.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_gl.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ge.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_fr.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_fi.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_fa.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_eu.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_et.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_es_PE.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_es_AR.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_es.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_el.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_de.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_da.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_cs.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ca.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_bn_BD.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_bg.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_az.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation/localization/messages_ar.js Removed vendored jQuery Validation messages locale file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/jquery-validation-unobtrusive/jquery.validate.unobtrusive.js Removed vendored jquery-validation-unobtrusive bundle.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/datatables.net-bs5/js/dataTables.bootstrap5.js Removed vendored DataTables Bootstrap integration JS.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/datatables.net-bs5/css/dataTables.bootstrap5.css Removed vendored DataTables Bootstrap integration CSS.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/bootstrap/js/bootstrap.enable.tooltips.everywhere.js Removed bootstrap tooltip initializer helper.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/bootstrap/js/bootstrap.enable.popovers.everywhere.js Removed bootstrap popover initializer helper.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/bootstrap-daterangepicker/daterangepicker.css Removed vendored daterangepicker CSS.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/bootstrap-datepicker/bootstrap-datepicker.min.css Removed vendored bootstrap-datepicker CSS.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/abp/utils/abp-utils.umd.js Removed vendored ABP utils UMD bundle.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/abp/luxon/abp.luxon.js Removed vendored ABP Luxon integration helper.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/abp/jquery/abp.jquery.js Removed vendored ABP jQuery integration helper.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/abp/core/abp.js Removed vendored ABP core JS file.
modules/openiddict/app/OpenIddict.Demo.Server/wwwroot/libs/abp/core/abp.css Removed vendored ABP core CSS file.
modules/openiddict/app/OpenIddict.Demo.Server/OpenIddict.Demo.Server.csproj Copies jwks.json to output so the server can seed the JWKS-enabled client.
modules/openiddict/app/OpenIddict.Demo.Server/Migrations/ServerDbContextModelSnapshot.cs Updates EF Core model snapshot (new identity/permission-related fields and tables).
modules/openiddict/app/OpenIddict.Demo.Server/Migrations/20260311061448_Initial.cs Updates initial migration to match new snapshot (permissions/resource grants/passkeys/password histories).
modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs Seeds a new OpenIddict application using JWKS for private_key_jwt.
modules/openiddict/app/OpenIddict.Demo.Client.Console/Program.cs Adds private_key_jwt client-credentials demo using a signed client assertion JWT.
modules/openiddict/app/OpenIddict.Demo.Client.Console/OpenIddict.Demo.Client.Console.csproj Adds JWT tooling package and copies jwks-private.pem to output for the demo.
framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Commands/GenerateJwksCommand.cs Introduces new abp generate-jwks command to generate JWKS + private key.
framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/AbpCliCoreModule.cs Registers the new CLI command.
docs/en/cli/index.md Documents the new generate-jwks command and workflow.
Directory.Packages.props Bumps IdentityModel package versions used by the repo.
Files not reviewed (1)
  • modules/openiddict/app/OpenIddict.Demo.Server/Migrations/20260311061448_Initial.Designer.cs: Language not supported

Comment thread modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs Outdated
Comment thread modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs Outdated
Comment thread modules/openiddict/app/OpenIddict.Demo.Client.Console/OpenIddict.Demo.Client.Console.csproj Outdated
Comment thread modules/openiddict/app/OpenIddict.Demo.Client.Console/Program.cs Outdated
Comment thread framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Commands/GenerateJwksCommand.cs
Comment thread modules/openiddict/app/OpenIddict.Demo.Server/OpenIddict.Demo.Server.csproj
@maliming maliming requested a review from Copilot March 12, 2026 05:49
Copilot AI reviewed Mar 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 88 out of 565 changed files in this pull request and generated 5 comments.

Files not reviewed (1)
  • modules/openiddict/app/OpenIddict.Demo.Server/Migrations/20260311061448_Initial.Designer.cs: Language not supported

Comment thread modules/openiddict/app/OpenIddict.Demo.Client.Console/Program.cs
Comment thread framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Commands/GenerateJwksCommand.cs
Comment thread modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs Outdated
Comment thread modules/openiddict/app/OpenIddict.Demo.Server/Migrations/20260311061448_Initial.cs
Comment thread modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs Outdated
@codecov

codecov Bot commented Mar 12, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0.88496% with 112 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.52%. Comparing base (d24b749) to head (3786ddf).
⚠️ Report is 957 commits behind head on dev.

Files with missing lines Patch % Lines
....Core/Volo/Abp/Cli/Commands/GenerateJwksCommand.cs 0.00% 112 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##              dev   #25068      +/-   ##
==========================================
- Coverage   50.82%   50.52%   -0.31%     
==========================================
  Files        3396     3464      +68     
  Lines      111587   116360    +4773     
  Branches     8450     8810     +360     
==========================================
+ Hits        56717    58787    +2070     
- Misses      53145    55789    +2644     
- Partials     1725     1784      +59

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Mar 12, 2026

Copy link
Copy Markdown
Contributor

Images automagically compressed by Calibre's image-actions

Compression reduced images by 75%, saving 1.1 MB.

Filename Before After Improvement Visual comparison
docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt-with-JWKS/cover.png 1.1 MB 308.9 KB 73.5% View diff
docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt-with-JWKS/create-edit-ui.png 383.2 KB 78.6 KB 79.5% View diff

@github-actions

github-actions Bot commented Mar 12, 2026

Copy link
Copy Markdown
Contributor

Images automagically compressed by Calibre's image-actions

Compression reduced images by 33.7%, saving 130.7 KB.

Filename Before After Improvement Visual comparison
docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt-with-JWKS/cover.png 308.9 KB 184.8 KB 40.2% View diff
docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt-with-JWKS/create-edit-ui.png 78.6 KB 72.1 KB 8.3% View diff

@github-actions

github-actions Bot commented Mar 12, 2026

Copy link
Copy Markdown
Contributor

Images automagically compressed by Calibre's image-actions

Compression reduced images by 68.2%, saving 126.1 KB.

Filename Before After Improvement Visual comparison
docs/en/Community-Articles/2026-03-12-OpenIddict-private-key-jwt/cover.png 184.8 KB 58.7 KB 68.2% View diff

1 image did not require optimisation.

@maliming maliming requested a review from EngincanV March 12, 2026 07:43
@maliming maliming changed the title Add JWKS private key and public key set for OpenIddict integration feat: add private_key_jwt client authentication support and abp generate-jwks CLI command Mar 12, 2026
@EngincanV EngincanV merged commit 6667c52 into dev Mar 12, 2026
1 check passed
@EngincanV EngincanV deleted the private_key_jwt branch March 12, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@EngincanV EngincanV EngincanV approved these changes

Assignees

No one assigned

Labels

abp-module-openiddict dependency-change Indicates a version change of a dependency (typically, upgrade) feature

Projects

None yet

Milestone

10.3-preview

Development

Successfully merging this pull request may close these issues.

3 participants

@maliming @EngincanV