chore(deps): consume server v1.14 (private_key_jwt) + env#24
Conversation
…ument its env Bumps padosoft/laravel-iam-server ^1.14 (asymmetric client auth) and laravel-iam-client ^1.2, and documents IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME in .env.example (per the env-sync rule). The new jwks + token_endpoint_auth_method columns migrate via the package. 21 tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 295f316769
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| IAM_OAUTH_CLIENT_SELFFETCH=false | ||
| # private_key_jwt (RFC 7523): reject a client assertion whose lifetime (exp − iat) exceeds this many SECONDS. | ||
| # Caps the useful window of a stolen assertion (jti also makes it single-use). Default 300 (5 min). | ||
| IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME=300 |
There was a problem hiding this comment.
Honor assertion lifetime env in app config
This adds IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME, but this app already publishes its own config/iam.php with a complete oauth array and no client_assertion_max_lifetime entry. The v1.14 server binding reads config('iam.oauth.client_assertion_max_lifetime'), so changing the newly documented env in this repo is silently ignored and the verifier always falls back to 300 seconds; deployments trying to tighten or relax the assertion lifetime from .env will not get the configured behavior until the corresponding config key is wired through.
Useful? React with 👍 / 👎.
Bump server ^1.14 + client ^1.2; document IAM_OAUTH_CLIENT_ASSERTION_MAX_LIFETIME. Makes the deployed console private_key_jwt-capable.