support for oidc client_assertion as one of the client authentication methods

[t-indumathy]

Feature Description

Support for client_assertion via private_key_jwt or client_secret_jwt in OIDC auth, with client_assertion_type as "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

Alternatives Considered

No alternatives. The current approach only supports client_secret either in the form of basic auth or in the payload

Additional Context

https://openid.net/specs/openid-connect-core-1_0.html#:~:text=per%20%5BOAuth.JWT%5D.-,private_key_jwt,-Clients%20that%20have

[Shikugawa]

@incfly I think it is worth doing. Should we include this in the next release plan?

[incfly]

Reading the RFC, private_key_jwt would require the client to register a public key to the identity provider. The later on token endpoint requests to the IdP then can be authenticated with client (authservice) signing a JWT.

There'll be definitely use case for this. But just like every feature request, I'd like us to wait a bit, seeing whether there'll be more +1/data points from others saying they need this as well; and why it has to be private_key_jwt, another other client authn scheme.

---

Side note for the next release and upcoming work, I think we should first prioritize the E2E testing, troubleshooting, docs (adding helm chart to the release) stuff. For example, ensure every PR would work with Istio 1.xx releases E2E without having to manually verify via installation.