Skip to content

chore(deps): consume server v1.14 (private_key_jwt) + env#24

Merged
lopadova merged 1 commit into
mainfrom
task/bump-server-v1.14-pkjwt
Jul 4, 2026
Merged

chore(deps): consume server v1.14 (private_key_jwt) + env#24
lopadova merged 1 commit into
mainfrom
task/bump-server-v1.14-pkjwt

Conversation

@lopadova

@lopadova lopadova commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Bump server ^1.14 + client ^1.2; document IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME. Makes the deployed console private_key_jwt-capable.

…ument its env

Bumps padosoft/laravel-iam-server ^1.14 (asymmetric client auth) and laravel-iam-client ^1.2, and documents
IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME in .env.example (per the env-sync rule). The new jwks +
token_endpoint_auth_method columns migrate via the package. 21 tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@lopadova lopadova added the testE2E Run the end-to-end Playwright CI label Jul 4, 2026
@lopadova lopadova merged commit 26191fd into main Jul 4, 2026
3 checks passed
@lopadova lopadova deleted the task/bump-server-v1.14-pkjwt branch July 4, 2026 16:30

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 295f316769

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .env.example
IAM_OAUTH_CLIENT_SELFFETCH=false
# private_key_jwt (RFC 7523): reject a client assertion whose lifetime (exp − iat) exceeds this many SECONDS.
# Caps the useful window of a stolen assertion (jti also makes it single-use). Default 300 (5 min).
IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME=300

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Honor assertion lifetime env in app config

This adds IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME, but this app already publishes its own config/iam.php with a complete oauth array and no client_assertion_max_lifetime entry. The v1.14 server binding reads config('iam.oauth.client_assertion_max_lifetime'), so changing the newly documented env in this repo is silently ignored and the verifier always falls back to 300 seconds; deployments trying to tighten or relax the assertion lifetime from .env will not get the configured behavior until the corresponding config key is wired through.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

testE2E Run the end-to-end Playwright CI

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant