chore: update module dependencies and configs

Christian · Christian · commit c74a381a374a · 2026-02-12T17:07:44.000+01:00
- Upgrade `go-authx` to v1.1.0, `openai-go` to v3.18.0, `gosec` to v2.23.0, `golang.org` libraries, and others.
- Enhance `docker-compose.yml` with additional environment variables for token handling.
- Add `go/yaml/v3` dependency for extended YAML support.
diff --git a/.env.example b/.env.example
@@ -3,3 +3,4 @@ METRICS_PORT=9091
 LOG_LEVEL=info
 AUTH_ENABLED=false
 AUTH_TOKEN_TYPE=jwt
+AUTH_INTROSPECTION_AUTH_METHOD=client_secret_basic
diff --git a/.gitignore b/.gitignore
@@ -46,4 +46,5 @@ experiments/
 *.log
 build
 .env
-.cache
+.cache
+.gocache
diff --git a/README.md b/README.md
@@ -62,9 +62,34 @@ Key environment variables:
 - `AUTH_TOKEN_TYPE` - Token mode: `jwt` (default) or `opaque`
 - `AUTH_JWKS_URL` - Optional custom JWKS endpoint override (JWT mode)
 - `AUTH_INTROSPECTION_URL` - OAuth2 introspection endpoint (required in opaque mode)
-- `AUTH_INTROSPECTION_CLIENT_ID` / `AUTH_INTROSPECTION_CLIENT_SECRET` - Introspection client credentials (required in opaque mode)
+- `AUTH_INTROSPECTION_AUTH_METHOD` - Introspection client auth (`client_secret_basic` default or `private_key_jwt`)
+- `AUTH_INTROSPECTION_CLIENT_ID` / `AUTH_INTROSPECTION_CLIENT_SECRET` - Introspection client credentials (required for `client_secret_basic`)
+- `AUTH_INTROSPECTION_PRIVATE_KEY` - Private key content for `private_key_jwt` (PEM, JWK JSON, or Zitadel key JSON)
+- `AUTH_INTROSPECTION_PRIVATE_KEY_FILE` - Alternative file path for `AUTH_INTROSPECTION_PRIVATE_KEY` (mutually exclusive)
+- `AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID` - Optional JWT header `kid` override for `private_key_jwt`
+- `AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG` - Optional signing alg override (`RS256` or `ES256`)
 - `MAX_UPLOAD_SIZE` / `TIMEOUT` / `LOG_LEVEL` - Upload limit, server timeouts, and logging level
 
+ZITADEL `private_key_jwt` examples:
+
+```bash
+# PEM (inline or from file)
+AUTH_TOKEN_TYPE=opaque
+AUTH_INTROSPECTION_URL=https://<zitadel-domain>/oauth/v2/introspect
+AUTH_INTROSPECTION_AUTH_METHOD=private_key_jwt
+AUTH_INTROSPECTION_CLIENT_ID=<client-id>
+AUTH_INTROSPECTION_PRIVATE_KEY_FILE=/run/secrets/zitadel-private-key.pem
+AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG=RS256
+```
+
+```bash
+# Zitadel key JSON envelope (contains keyId/key/clientId)
+AUTH_TOKEN_TYPE=opaque
+AUTH_INTROSPECTION_URL=https://<zitadel-domain>/oauth/v2/introspect
+AUTH_INTROSPECTION_AUTH_METHOD=private_key_jwt
+AUTH_INTROSPECTION_PRIVATE_KEY='{"keyId":"...","key":"-----BEGIN PRIVATE KEY-----\n...","clientId":"..."}'
+```
+
 ## Usage
 
 ### CLI
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -177,11 +177,25 @@ func buildUnaryInterceptors(cfg *config.Config) ([]grpc.UnaryServerInterceptor,
 
 	validatorBuilder := grpcserver.NewValidatorBuilder(cfg.AuthIssuer, cfg.AuthAudience)
 	if cfg.AuthTokenType == "opaque" {
-		validatorBuilder = validatorBuilder.WithOpaqueTokenIntrospection(
-			cfg.AuthIntrospectionURL,
-			cfg.AuthIntrospectionClientID,
-			cfg.AuthIntrospectionClientSecret,
-		)
+		if cfg.AuthIntrospectionAuthMethod == "private_key_jwt" {
+			authConfig := grpcserver.IntrospectionClientAuthConfig{
+				Method:                 grpcserver.IntrospectionClientAuthMethodPrivateKeyJWT,
+				ClientID:               cfg.AuthIntrospectionClientID,
+				PrivateKey:             cfg.AuthIntrospectionPrivateKey,
+				PrivateKeyJWTKeyID:     cfg.AuthIntrospectionPrivateKeyJWTKeyID,
+				PrivateKeyJWTAlgorithm: cfg.AuthIntrospectionPrivateKeyJWTAlgorithm,
+			}
+			validatorBuilder = validatorBuilder.WithOpaqueTokenIntrospectionAuth(
+				cfg.AuthIntrospectionURL,
+				authConfig,
+			)
+		} else {
+			validatorBuilder = validatorBuilder.WithOpaqueTokenIntrospection(
+				cfg.AuthIntrospectionURL,
+				cfg.AuthIntrospectionClientID,
+				cfg.AuthIntrospectionClientSecret,
+			)
+		}
 	} else if cfg.AuthJWKSURL != "" {
 		validatorBuilder = validatorBuilder.WithJWKSURL(cfg.AuthJWKSURL)
 	}
@@ -197,6 +211,7 @@ func buildUnaryInterceptors(cfg *config.Config) ([]grpc.UnaryServerInterceptor,
 		Str("audience", cfg.AuthAudience).
 		Str("jwks_url", cfg.AuthJWKSURL).
 		Str("introspection_url", cfg.AuthIntrospectionURL).
+		Str("introspection_auth_method", cfg.AuthIntrospectionAuthMethod).
 		Msg("gRPC authentication enabled")
 
 	return append(interceptors, grpcserver.UnaryServerInterceptor(
diff --git a/cmd/server/main_test.go b/cmd/server/main_test.go
@@ -2,6 +2,11 @@ package main
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"net"
 	"net/http"
@@ -117,6 +122,50 @@ func TestBuildUnaryInterceptors_WithOpaqueAuth(t *testing.T) {
 	assert.Len(t, interceptors, 3)
 }
 
+func TestBuildUnaryInterceptors_WithOpaqueAuthPrivateKeyJWTPEM(t *testing.T) {
+	cfg := &config.Config{
+		AuthEnabled:                             true,
+		AuthIssuer:                              "https://issuer.example.com",
+		AuthAudience:                            "nist-entropy",
+		AuthTokenType:                           "opaque",
+		AuthIntrospectionURL:                    "https://issuer.example.com/oauth2/introspect",
+		AuthIntrospectionAuthMethod:             "private_key_jwt",
+		AuthIntrospectionClientID:               "svc-client",
+		AuthIntrospectionPrivateKey:             mustGenerateRSAPrivateKeyPEM(t),
+		AuthIntrospectionPrivateKeyJWTKeyID:     "kid-1",
+		AuthIntrospectionPrivateKeyJWTAlgorithm: "RS256",
+	}
+
+	interceptors, err := buildUnaryInterceptors(cfg)
+	require.NoError(t, err)
+	assert.Len(t, interceptors, 3)
+}
+
+func TestBuildUnaryInterceptors_WithOpaqueAuthPrivateKeyJWTZitadelJSON(t *testing.T) {
+	privateKeyPEM := mustGenerateRSAPrivateKeyPEM(t)
+	zitadelEnvelope := map[string]string{
+		"keyId":    "zitadel-kid",
+		"clientId": "svc-client",
+		"key":      privateKeyPEM,
+	}
+	zitadelKeyJSONBytes, err := json.Marshal(zitadelEnvelope)
+	require.NoError(t, err)
+
+	cfg := &config.Config{
+		AuthEnabled:                 true,
+		AuthIssuer:                  "https://issuer.example.com",
+		AuthAudience:                "nist-entropy",
+		AuthTokenType:               "opaque",
+		AuthIntrospectionURL:        "https://issuer.example.com/oauth2/introspect",
+		AuthIntrospectionAuthMethod: "private_key_jwt",
+		AuthIntrospectionPrivateKey: string(zitadelKeyJSONBytes),
+	}
+
+	interceptors, err := buildUnaryInterceptors(cfg)
+	require.NoError(t, err)
+	assert.Len(t, interceptors, 3)
+}
+
 func TestRunFailsOnBadConfig(t *testing.T) {
 	// Invalid port should cause config validation failure
 	os.Setenv("SERVER_PORT", "-1")
@@ -213,3 +262,20 @@ func mustListen(t *testing.T) net.Listener {
 	}
 	return ln
 }
+
+func mustGenerateRSAPrivateKeyPEM(t *testing.T) string {
+	t.Helper()
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	privateKeyDER, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	require.NoError(t, err)
+
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: privateKeyDER,
+	})
+
+	return string(privateKeyPEM)
+}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -22,8 +22,13 @@ services:
       - AUTH_JWKS_URL=${AUTH_JWKS_URL:-}
       # Opaque mode (RFC 7662 introspection)
       - AUTH_INTROSPECTION_URL=${AUTH_INTROSPECTION_URL:-}
+      - AUTH_INTROSPECTION_AUTH_METHOD=${AUTH_INTROSPECTION_AUTH_METHOD:-client_secret_basic}
       - AUTH_INTROSPECTION_CLIENT_ID=${AUTH_INTROSPECTION_CLIENT_ID:-}
       - AUTH_INTROSPECTION_CLIENT_SECRET=${AUTH_INTROSPECTION_CLIENT_SECRET:-}
+      - AUTH_INTROSPECTION_PRIVATE_KEY=${AUTH_INTROSPECTION_PRIVATE_KEY:-}
+      - AUTH_INTROSPECTION_PRIVATE_KEY_FILE=${AUTH_INTROSPECTION_PRIVATE_KEY_FILE:-}
+      - AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID=${AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID:-}
+      - AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG=${AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG:-}
       - TLS_ENABLED=${TLS_ENABLED:-false}
       - TLS_CERT_FILE=${TLS_CERT_FILE:-}
       - TLS_KEY_FILE=${TLS_KEY_FILE:-}
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -312,8 +312,13 @@ The `internal/config` package provides environment-variable-based configuration
 | `AUTH_TOKEN_TYPE` | `jwt` | Token mode (`jwt` or `opaque`) |
 | `AUTH_JWKS_URL` | (empty) | Custom JWKS endpoint (JWT mode) |
 | `AUTH_INTROSPECTION_URL` | (empty) | OAuth2 introspection endpoint (opaque mode) |
-| `AUTH_INTROSPECTION_CLIENT_ID` | (empty) | Introspection client ID (opaque mode) |
-| `AUTH_INTROSPECTION_CLIENT_SECRET` | (empty) | Introspection client secret (opaque mode) |
+| `AUTH_INTROSPECTION_AUTH_METHOD` | `client_secret_basic` | Introspection client auth method (`client_secret_basic` or `private_key_jwt`) |
+| `AUTH_INTROSPECTION_CLIENT_ID` | (empty) | Introspection client ID (`client_secret_basic`; optional for Zitadel key JSON with `private_key_jwt`) |
+| `AUTH_INTROSPECTION_CLIENT_SECRET` | (empty) | Introspection client secret (`client_secret_basic`) |
+| `AUTH_INTROSPECTION_PRIVATE_KEY` | (empty) | Introspection private key content for `private_key_jwt` (PEM, JWK JSON, or Zitadel key JSON) |
+| `AUTH_INTROSPECTION_PRIVATE_KEY_FILE` | (empty) | File path alternative for `AUTH_INTROSPECTION_PRIVATE_KEY` |
+| `AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID` | (empty) | Optional `kid` override for `private_key_jwt` assertions |
+| `AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG` | (empty) | Optional assertion signing algorithm (`RS256` or `ES256`) |
 | `MAX_UPLOAD_SIZE` | `104857600` | Maximum upload size in bytes (100 MB) |
 | `TIMEOUT` | `5m` | HTTP read/write timeout |
 | `LOG_LEVEL` | `info` | Log verbosity (debug, info, warn, error) |
@@ -349,7 +354,7 @@ The service supports three security mechanisms, all of which are optional and in
 
 **mTLS (Mutual TLS)**: Controlled by `TLS_CLIENT_AUTH`, the server can require clients to present and verify X.509 certificates against a trusted CA bundle specified in `TLS_CA_FILE`.
 
-**OIDC Authentication**: When `AUTH_ENABLED=true`, a token validation interceptor is appended to the gRPC interceptor chain. In `AUTH_TOKEN_TYPE=jwt` mode, `go-authx` validates JWT access tokens via JWKS auto-discovery or `AUTH_JWKS_URL`. In `AUTH_TOKEN_TYPE=opaque` mode, `go-authx` validates opaque access tokens via RFC 7662 introspection (`AUTH_INTROSPECTION_URL` + client credentials). Health check endpoints (`/grpc.health.v1.Health/Check` and `/grpc.health.v1.Health/Watch`) are exempted from authentication.
+**OIDC Authentication**: When `AUTH_ENABLED=true`, a token validation interceptor is appended to the gRPC interceptor chain. In `AUTH_TOKEN_TYPE=jwt` mode, `go-authx` validates JWT access tokens via JWKS auto-discovery or `AUTH_JWKS_URL`. In `AUTH_TOKEN_TYPE=opaque` mode, `go-authx` validates opaque access tokens via RFC 7662 introspection (`AUTH_INTROSPECTION_URL`). Introspection client authentication supports both `client_secret_basic` and RFC 7523 `private_key_jwt` (PEM/JWK/Zitadel key JSON). Health check endpoints (`/grpc.health.v1.Health/Check` and `/grpc.health.v1.Health/Watch`) are exempted from authentication.
 
 ## 5. Build Architecture
 
@@ -488,7 +493,7 @@ The `DataGuard` class in `wrapper.cpp` implements RAII (Resource Acquisition Is
 | Native Code | C++11 with OpenMP |
 | RPC Framework | gRPC (google.golang.org/grpc v1.78.0) |
 | Protocol Definitions | Protocol Buffers v3 |
-| Authentication | OIDC JWT + opaque token introspection via go-authx v1.0.1 |
+| Authentication | OIDC JWT + opaque token introspection (client_secret_basic/private_key_jwt) via go-authx v1.1.0 |
 | Logging | zerolog (structured JSON) |
 | Metrics | Prometheus client_golang v1.23.2 with promauto |
 | Testing | testify, gotestsum, teststub build tag |
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -42,14 +42,19 @@ type Config struct {
 	MetricsEnabled bool
 
 	// Authentication
-	AuthEnabled                   bool
-	AuthIssuer                    string
-	AuthAudience                  string
-	AuthJWKSURL                   string
-	AuthTokenType                 string
-	AuthIntrospectionURL          string
-	AuthIntrospectionClientID     string
-	AuthIntrospectionClientSecret string
+	AuthEnabled                             bool
+	AuthIssuer                              string
+	AuthAudience                            string
+	AuthJWKSURL                             string
+	AuthTokenType                           string
+	AuthIntrospectionURL                    string
+	AuthIntrospectionAuthMethod             string
+	AuthIntrospectionClientID               string
+	AuthIntrospectionClientSecret           string
+	AuthIntrospectionPrivateKey             string
+	AuthIntrospectionPrivateKeyFile         string
+	AuthIntrospectionPrivateKeyJWTKeyID     string
+	AuthIntrospectionPrivateKeyJWTAlgorithm string
 }
 
 // LoadConfig reads configuration from environment variables, applies default
@@ -58,28 +63,33 @@ type Config struct {
 func LoadConfig() (*Config, error) {
 	config := &Config{
 		// Defaults
-		ServerPort:                    getEnvAsInt("METRICS_PORT", getEnvAsInt("SERVER_PORT", 9091)),
-		ServerHost:                    getEnv("SERVER_HOST", "0.0.0.0"),
-		GRPCEnabled:                   getEnvAsBool("GRPC_ENABLED", false),
-		GRPCPort:                      getEnvAsInt("GRPC_PORT", 9090),
-		TLSEnabled:                    getEnvAsBool("TLS_ENABLED", false),
-		TLSCertFile:                   getEnv("TLS_CERT_FILE", ""),
-		TLSKeyFile:                    getEnv("TLS_KEY_FILE", ""),
-		TLSCAFile:                     getEnv("TLS_CA_FILE", ""),
-		TLSClientAuth:                 getEnv("TLS_CLIENT_AUTH", "none"),
-		TLSMinVersion:                 getEnv("TLS_MIN_VERSION", "1.2"),
-		LogLevel:                      getEnv("LOG_LEVEL", "info"),
-		MaxUploadSize:                 getEnvAsInt64("MAX_UPLOAD_SIZE", 100*1024*1024), // 100MB default
-		Timeout:                       getEnvAsDuration("TIMEOUT", 5*time.Minute),
-		MetricsEnabled:                getEnvAsBool("METRICS_ENABLED", true),
-		AuthEnabled:                   getEnvAsBool("AUTH_ENABLED", false),
-		AuthIssuer:                    getEnv("AUTH_ISSUER", ""),
-		AuthAudience:                  getEnv("AUTH_AUDIENCE", ""),
-		AuthJWKSURL:                   getEnv("AUTH_JWKS_URL", ""),
-		AuthTokenType:                 getEnv("AUTH_TOKEN_TYPE", "jwt"),
-		AuthIntrospectionURL:          getEnv("AUTH_INTROSPECTION_URL", ""),
-		AuthIntrospectionClientID:     getEnv("AUTH_INTROSPECTION_CLIENT_ID", ""),
-		AuthIntrospectionClientSecret: getEnv("AUTH_INTROSPECTION_CLIENT_SECRET", ""),
+		ServerPort:                              getEnvAsInt("METRICS_PORT", getEnvAsInt("SERVER_PORT", 9091)),
+		ServerHost:                              getEnv("SERVER_HOST", "0.0.0.0"),
+		GRPCEnabled:                             getEnvAsBool("GRPC_ENABLED", false),
+		GRPCPort:                                getEnvAsInt("GRPC_PORT", 9090),
+		TLSEnabled:                              getEnvAsBool("TLS_ENABLED", false),
+		TLSCertFile:                             getEnv("TLS_CERT_FILE", ""),
+		TLSKeyFile:                              getEnv("TLS_KEY_FILE", ""),
+		TLSCAFile:                               getEnv("TLS_CA_FILE", ""),
+		TLSClientAuth:                           getEnv("TLS_CLIENT_AUTH", "none"),
+		TLSMinVersion:                           getEnv("TLS_MIN_VERSION", "1.2"),
+		LogLevel:                                getEnv("LOG_LEVEL", "info"),
+		MaxUploadSize:                           getEnvAsInt64("MAX_UPLOAD_SIZE", 100*1024*1024), // 100MB default
+		Timeout:                                 getEnvAsDuration("TIMEOUT", 5*time.Minute),
+		MetricsEnabled:                          getEnvAsBool("METRICS_ENABLED", true),
+		AuthEnabled:                             getEnvAsBool("AUTH_ENABLED", false),
+		AuthIssuer:                              getEnv("AUTH_ISSUER", ""),
+		AuthAudience:                            getEnv("AUTH_AUDIENCE", ""),
+		AuthJWKSURL:                             getEnv("AUTH_JWKS_URL", ""),
+		AuthTokenType:                           getEnv("AUTH_TOKEN_TYPE", "jwt"),
+		AuthIntrospectionURL:                    getEnv("AUTH_INTROSPECTION_URL", ""),
+		AuthIntrospectionAuthMethod:             getEnv("AUTH_INTROSPECTION_AUTH_METHOD", "client_secret_basic"),
+		AuthIntrospectionClientID:               getEnv("AUTH_INTROSPECTION_CLIENT_ID", ""),
+		AuthIntrospectionClientSecret:           getEnv("AUTH_INTROSPECTION_CLIENT_SECRET", ""),
+		AuthIntrospectionPrivateKey:             getEnv("AUTH_INTROSPECTION_PRIVATE_KEY", ""),
+		AuthIntrospectionPrivateKeyFile:         getEnv("AUTH_INTROSPECTION_PRIVATE_KEY_FILE", ""),
+		AuthIntrospectionPrivateKeyJWTKeyID:     getEnv("AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID", ""),
+		AuthIntrospectionPrivateKeyJWTAlgorithm: getEnv("AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG", ""),
 	}
 
 	if err := config.Validate(); err != nil {
@@ -135,11 +145,44 @@ func (c *Config) Validate() error {
 			if c.AuthIntrospectionURL == "" {
 				return fmt.Errorf("invalid auth introspection URL: required when AUTH_TOKEN_TYPE=opaque")
 			}
-			if c.AuthIntrospectionClientID == "" {
-				return fmt.Errorf("invalid auth introspection client ID: required when AUTH_TOKEN_TYPE=opaque")
+			authMethod, err := parseAuthIntrospectionAuthMethod(c.AuthIntrospectionAuthMethod)
+			if err != nil {
+				return err
 			}
-			if c.AuthIntrospectionClientSecret == "" {
-				return fmt.Errorf("invalid auth introspection client secret: required when AUTH_TOKEN_TYPE=opaque")
+			c.AuthIntrospectionAuthMethod = authMethod
+
+			switch c.AuthIntrospectionAuthMethod {
+			case "client_secret_basic":
+				if c.AuthIntrospectionClientID == "" {
+					return fmt.Errorf("invalid auth introspection client ID: required when AUTH_INTROSPECTION_AUTH_METHOD=client_secret_basic")
+				}
+				if c.AuthIntrospectionClientSecret == "" {
+					return fmt.Errorf("invalid auth introspection client secret: required when AUTH_INTROSPECTION_AUTH_METHOD=client_secret_basic")
+				}
+			case "private_key_jwt":
+				c.AuthIntrospectionPrivateKey = strings.TrimSpace(c.AuthIntrospectionPrivateKey)
+				c.AuthIntrospectionPrivateKeyFile = strings.TrimSpace(c.AuthIntrospectionPrivateKeyFile)
+				if c.AuthIntrospectionPrivateKey != "" && c.AuthIntrospectionPrivateKeyFile != "" {
+					return fmt.Errorf("invalid auth introspection private key config: AUTH_INTROSPECTION_PRIVATE_KEY and AUTH_INTROSPECTION_PRIVATE_KEY_FILE are mutually exclusive")
+				}
+				if c.AuthIntrospectionPrivateKey == "" && c.AuthIntrospectionPrivateKeyFile == "" {
+					return fmt.Errorf("invalid auth introspection private key: required when AUTH_INTROSPECTION_AUTH_METHOD=private_key_jwt")
+				}
+				if c.AuthIntrospectionPrivateKeyFile != "" {
+					privateKeyBytes, readErr := os.ReadFile(c.AuthIntrospectionPrivateKeyFile)
+					if readErr != nil {
+						return fmt.Errorf("invalid auth introspection private key file: %w", readErr)
+					}
+					c.AuthIntrospectionPrivateKey = strings.TrimSpace(string(privateKeyBytes))
+					if c.AuthIntrospectionPrivateKey == "" {
+						return fmt.Errorf("invalid auth introspection private key file: empty file")
+					}
+				}
+				privateKeyJWTAlgorithm, parseErr := parseAuthIntrospectionPrivateKeyJWTAlgorithm(c.AuthIntrospectionPrivateKeyJWTAlgorithm)
+				if parseErr != nil {
+					return parseErr
+				}
+				c.AuthIntrospectionPrivateKeyJWTAlgorithm = privateKeyJWTAlgorithm
 			}
 		}
 	}
@@ -238,6 +281,26 @@ func parseAuthTokenType(tokenType string) (string, error) {
 	}
 }
 
+func parseAuthIntrospectionAuthMethod(method string) (string, error) {
+	switch strings.ToLower(strings.TrimSpace(method)) {
+	case "", "client_secret_basic":
+		return "client_secret_basic", nil
+	case "private_key_jwt":
+		return "private_key_jwt", nil
+	default:
+		return "", fmt.Errorf("invalid AUTH_INTROSPECTION_AUTH_METHOD: %s (use client_secret_basic or private_key_jwt)", method)
+	}
+}
+
+func parseAuthIntrospectionPrivateKeyJWTAlgorithm(algorithm string) (string, error) {
+	switch strings.ToUpper(strings.TrimSpace(algorithm)) {
+	case "", "RS256", "ES256":
+		return strings.ToUpper(strings.TrimSpace(algorithm)), nil
+	default:
+		return "", fmt.Errorf("invalid AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG: %s (use RS256 or ES256)", algorithm)
+	}
+}
+
 func getEnvAsInt64(key string, defaultValue int64) int64 {
 	valueStr := os.Getenv(key)
 	if valueStr == "" {
diff --git a/internal/config/config_test.go b/internal/config/config_test.go

-Original file line number
+Diff line change
 *.log
 build
 .env
 -.cache
 +.cache
 +.gocache