Merge pull request #110 from linuxfoundation/andrest50/auth0-private-key

[LFXV2-1043] Replace Auth0 client secret with private key authentication

Author: andrest50

.env.example

@@ -13,8 +13,9 @@ JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL=
 ITX_BASE_URL=https://api.dev.itx.linuxfoundation.org
 # OAuth2 client ID for ITX
 ITX_CLIENT_ID=
-# OAuth2 client secret for ITX (keep secure!)
-ITX_CLIENT_SECRET=
+# RSA private key in PEM format for ITX OAuth2 M2M authentication (keep secure!)
+# Can be loaded from file: export ITX_CLIENT_PRIVATE_KEY="$(cat path/to/private.key)"
+ITX_CLIENT_PRIVATE_KEY=
 ITX_AUTH0_DOMAIN=linuxfoundation-dev.auth0.com
 ITX_AUDIENCE=https://api.dev.itx.linuxfoundation.org/
 

CLAUDE.md

@@ -127,7 +127,7 @@ For ITX proxy functionality, configure these environment variables:
 
 - `ITX_BASE_URL`: Base URL for ITX service (e.g., `https://api.itx.linuxfoundation.org`)
 - `ITX_CLIENT_ID`: OAuth2 client ID for ITX authentication
-- `ITX_CLIENT_SECRET`: OAuth2 client secret for ITX authentication
+- `ITX_CLIENT_PRIVATE_KEY`: RSA private key in PEM format for ITX OAuth2 M2M authentication (load from file: `export ITX_CLIENT_PRIVATE_KEY="$(cat path/to/private.key)"`)
 - `ITX_AUTH0_DOMAIN`: Auth0 domain for OAuth2 (e.g., `linuxfoundation.auth0.com`)
 - `ITX_AUDIENCE`: OAuth2 audience for ITX service (e.g., `https://api.itx.linuxfoundation.org/`)
 

README.md

@@ -14,7 +14,7 @@ helm upgrade --install lfx-v2-meeting-service ./charts/lfx-v2-meeting-service \
   --set image.tag=latest \
   --set app.environment.ITX_BASE_URL.value="https://api.itx.linuxfoundation.org" \
   --set app.environment.ITX_CLIENT_ID.value="your-client-id" \
-  --set app.environment.ITX_CLIENT_SECRET.value="your-client-secret"
+  --set-file app.environment.ITX_CLIENT_PRIVATE_KEY.value=path/to/private.key
 ```
 
 ### For Local Development
@@ -46,7 +46,7 @@ helm upgrade --install lfx-v2-meeting-service ./charts/lfx-v2-meeting-service \
    ITX_ENABLED=true
    ITX_BASE_URL=https://api.dev.itx.linuxfoundation.org
    ITX_CLIENT_ID=your-client-id
-   ITX_CLIENT_SECRET=your-client-secret
+   ITX_CLIENT_PRIVATE_KEY="$(cat path/to/private.key)"
    ITX_AUTH0_DOMAIN=linuxfoundation-dev.auth0.com
    ITX_AUDIENCE=https://api.dev.itx.linuxfoundation.org/
    ```
@@ -273,7 +273,7 @@ docker run -p 8080:8080 \
   -e ITX_ENABLED=true \
   -e ITX_BASE_URL=https://api.itx.linuxfoundation.org \
   -e ITX_CLIENT_ID=your-client-id \
-  -e ITX_CLIENT_SECRET=your-client-secret \
+  -e ITX_CLIENT_PRIVATE_KEY="$(cat path/to/private.key)" \
   linuxfoundation/lfx-v2-meeting-service:latest
 ```
 
@@ -337,7 +337,7 @@ The service can be configured via environment variables:
 |----------|-------------|---------|
 | `ITX_BASE_URL` | Base URL for ITX service | `https://api.itx.linuxfoundation.org` |
 | `ITX_CLIENT_ID` | OAuth2 client ID for ITX | `your-client-id` |
-| `ITX_CLIENT_SECRET` | OAuth2 client secret for ITX | `your-client-secret` |
+| `ITX_CLIENT_PRIVATE_KEY` | RSA private key in PEM format for ITX OAuth2 M2M authentication | `"$(cat path/to/private.key)"` |
 | `ITX_AUTH0_DOMAIN` | Auth0 domain for ITX OAuth2 | `linuxfoundation.auth0.com` |
 | `ITX_AUDIENCE` | OAuth2 audience for ITX | `https://api.itx.linuxfoundation.org/` |
 

charts/lfx-v2-meeting-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-meeting-service
 description: LFX Platform V2 Meeting Service chart
 type: application
-version: 0.6.0
+version: 0.6.1
 appVersion: "latest"

charts/lfx-v2-meeting-service/values.yaml

@@ -91,8 +91,8 @@ app:
     # ITX_CLIENT_ID is the OAuth2 client ID for ITX service authentication
     ITX_CLIENT_ID:
       value: null
-    # ITX_CLIENT_SECRET is the OAuth2 client secret for ITX service authentication
-    ITX_CLIENT_SECRET:
+    # ITX_CLIENT_PRIVATE_KEY is the RSA private key in PEM format for ITX OAuth2 M2M authentication
+    ITX_CLIENT_PRIVATE_KEY:
       value: null
     # ITX_AUTH0_DOMAIN is the Auth0 domain for ITX OAuth2 authentication
     ITX_AUTH0_DOMAIN:

cmd/meeting-api/config.go

@@ -31,11 +31,11 @@ type environment struct {
 
 // itxConfig holds ITX proxy configuration
 type itxConfig struct {
-	BaseURL      string
-	ClientID     string
-	ClientSecret string
-	Auth0Domain  string
-	Audience     string
+	BaseURL     string
+	ClientID    string
+	PrivateKey  string
+	Auth0Domain string
+	Audience    string
 }
 
 // parseFlags parses command line flags for the meeting service
@@ -122,9 +122,9 @@ func parseITXConfig() itxConfig {
 		os.Exit(1)
 	}
 
-	clientSecret := os.Getenv("ITX_CLIENT_SECRET")
-	if clientSecret == "" {
-		slog.Error("ITX_CLIENT_SECRET environment variable is required but not set")
+	privateKey := os.Getenv("ITX_CLIENT_PRIVATE_KEY")
+	if privateKey == "" {
+		slog.Error("ITX_CLIENT_PRIVATE_KEY environment variable is required but not set")
 		os.Exit(1)
 	}
 
@@ -144,10 +144,10 @@ func parseITXConfig() itxConfig {
 	}
 
 	return itxConfig{
-		BaseURL:      baseURL,
-		ClientID:     clientID,
-		ClientSecret: clientSecret,
-		Auth0Domain:  auth0Domain,
-		Audience:     audience,
+		BaseURL:     baseURL,
+		ClientID:    clientID,
+		PrivateKey:  privateKey,
+		Auth0Domain: auth0Domain,
+		Audience:    audience,
 	}
 }

cmd/meeting-api/main.go

@@ -109,12 +109,12 @@ func run() int {
 
 	// Initialize ITX proxy client and services
 	itxProxyConfig := proxy.Config{
-		BaseURL:      env.ITXConfig.BaseURL,
-		ClientID:     env.ITXConfig.ClientID,
-		ClientSecret: env.ITXConfig.ClientSecret,
-		Auth0Domain:  env.ITXConfig.Auth0Domain,
-		Audience:     env.ITXConfig.Audience,
-		Timeout:      30 * time.Second,
+		BaseURL:     env.ITXConfig.BaseURL,
+		ClientID:    env.ITXConfig.ClientID,
+		PrivateKey:  env.ITXConfig.PrivateKey,
+		Auth0Domain: env.ITXConfig.Auth0Domain,
+		Audience:    env.ITXConfig.Audience,
+		Timeout:     30 * time.Second,
 	}
 	itxProxyClient := proxy.NewClient(itxProxyConfig)
 	itxMeetingService := itxservice.NewMeetingService(itxProxyClient, idMapper)

docs/itx-proxy-implementation.md

@@ -304,11 +304,11 @@ func (c *Client) ensureValidToken(ctx context.Context) error {
 
 ```bash
 # ITX Service Configuration
-ITX_BASE_URL=https://api.itx.linuxfoundation.org         # ITX service URL
-ITX_CLIENT_ID=your-client-id                             # OAuth2 client ID
-ITX_CLIENT_SECRET=your-client-secret                      # OAuth2 client secret
-ITX_AUTH0_DOMAIN=linuxfoundation.auth0.com               # Auth0 domain
-ITX_AUDIENCE=https://api.itx.linuxfoundation.org/        # OAuth2 audience
+ITX_BASE_URL=https://api.itx.linuxfoundation.org              # ITX service URL
+ITX_CLIENT_ID=your-client-id                                  # OAuth2 client ID
+ITX_CLIENT_PRIVATE_KEY="$(cat path/to/private.key)"          # RSA private key in PEM format
+ITX_AUTH0_DOMAIN=linuxfoundation.auth0.com                    # Auth0 domain
+ITX_AUDIENCE=https://api.itx.linuxfoundation.org/             # OAuth2 audience
 
 # Authentication
 JWKS_URL=http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks
@@ -342,8 +342,8 @@ app:
       value: https://api.itx.linuxfoundation.org
     ITX_CLIENT_ID:
       value: null  # Set via sealed secret
-    ITX_CLIENT_SECRET:
-      value: null  # Set via sealed secret
+    ITX_CLIENT_PRIVATE_KEY:
+      value: null  # Set via sealed secret (RSA private key in PEM format)
     ITX_AUTH0_DOMAIN:
       value: linuxfoundation.auth0.com
     ITX_AUDIENCE:

go.mod

@@ -6,6 +6,7 @@ module github.com/linuxfoundation/lfx-v2-meeting-service
 go 1.24.5
 
 require (
+	github.com/auth0/go-auth0 v1.33.0
 	github.com/auth0/go-jwt-middleware/v2 v2.3.0
 	github.com/google/uuid v1.6.0
 	github.com/nats-io/nats.go v1.44.0
@@ -30,22 +31,33 @@ require (
 )
 
 require (
+	github.com/PuerkitoBio/rehttp v1.4.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-chi/chi/v5 v5.2.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/gohugoio/hashstructure v0.6.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/jwx/v2 v2.1.6 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/manveru/faker v0.0.0-20171103152722-9fbc68a78c4d // indirect
 	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	go.devnw.com/structs v1.0.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect