Skip to content

@W-22151509 Add JWT Bearer authentication for certificate-based OAuth#376

Open
charithaT07 wants to merge 6 commits intomainfrom
W-22162268-OAuth-JWT-Client
Open

@W-22151509 Add JWT Bearer authentication for certificate-based OAuth#376
charithaT07 wants to merge 6 commits intomainfrom
W-22162268-OAuth-JWT-Client

Conversation

@charithaT07
Copy link
Copy Markdown
Collaborator

@charithaT07 charithaT07 commented Apr 23, 2026
edited
Loading

Summary

Overview

Implements JWT Bearer authentication (RFC 7523) for the B2C CLI, enabling certificate-based authentication as a more secure alternative to client secrets. This is particularly useful for CI/CD pipelines and production environments.

What Changed

  • New authentication method: jwt added to auth priority: client-credentials → jwt → implicit
  • New CLI flags: --jwt-cert, --jwt-key, --jwt-passphrase
  • Environment variables: SFCC_JWT_CERT, SFCC_JWT_KEY, SFCC_JWT_PASSPHRASE
  • dw.json support: jwt-cert-path, jwt-key-path, jwt-passphrase

Implementation Details

  • Created JwtOAuthStrategy class for JWT Bearer flow
  • JWT credentials sent in POST body (client_assertion parameter) per RFC 7523
  • Uses RSA-SHA256 signing with Base64URL encoding
  • Supports encrypted private keys with optional passphrase
  • In-memory token caching (30 minutes) to reduce auth requests within command execution
  • Comprehensive error handling with helpful messages for common setup issues

Key Files

  • New: src/auth/oauth-jwt.ts (427 lines, 97.28% coverage)
  • Modified: src/auth/types.ts, src/cli/oauth-command.ts, src/config/types.ts
  • Tests: 28 unit tests added in test/auth/oauth-jwt.test.ts
  • Docs: Updated docs/guide/authentication.md and docs/guide/configuration.md

Testing

  • ✅ All 1,681 tests passing (0 failures)
  • ✅ 82.2% overall code coverage (97.28% on JWT module)
  • ✅ Manually verified with Pod 5 Account Manager
  • ✅ Token generation, caching, and API calls tested
  • ✅ Error scenarios covered (missing files, wrong passphrase, invalid formats)

Usage Example

Generate certificate pair
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Upload cert.pem to Account Manager API Client

Use JWT auth
export SFCC_JWT_CERT=./cert.pem
export SFCC_JWT_KEY=./key.pem
b2c sandbox list

Dependencies

  • No net-new third-party dependencies were added
  • If net-new third-party dependencies were added, rationale/discussion is included and 3pl-approved is set by a maintainer
  • Tests pass (pnpm test)
  • Code is formatted (pnpm run format)

@charithaT07 charithaT07 marked this pull request as ready for review April 23, 2026 17:39
@charithaT07 charithaT07 requested a review from clavery as a code owner April 23, 2026 17:39
clavery
clavery requested changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@clavery clavery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@charithaT07 I did a review with claude and there's some suggestions I agree with.

given the length I'm linking out to them here: https://share.plannotator.ai/p/vuloceet#key=bOUkhlGJMqyZ425pKpD3ouoq2jANfZ___cGD-MgcELw

@charithaT07
Copy link
Copy Markdown
Collaborator Author

charithaT07 commented Apr 24, 2026

@charithaT07 I did a review with claude and there's some suggestions I agree with.

given the length I'm linking out to them here: https://share.plannotator.ai/p/vuloceet#key=bOUkhlGJMqyZ425pKpD3ouoq2jANfZ___cGD-MgcELw

Addressed the review suggestions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clavery clavery clavery requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@charithaT07 @clavery