fix: oidc public client without need to provide secret

[13bscsaamjad]

Overview

Who the change affects or is for?

This change affects developers and organizations using OIDC authentication with Vault who need to support public client applications.

What is the change?

Fix OIDC authentication when PKCE without requiring a client secret. Users can now configure OIDC authentication by providing only oidc_discovery_url and oidc_client_id, with oidc_client_secret being optional.

Why is the change needed?

Public client applications (as defined in OAuth 2.0 RFC) cannot securely store client secrets since they run on end-user devices. Modern OAuth providers support PKCE as a secure alternative to client secrets for these scenarios. This change enables Vault to work with public OIDC clients, enhancing its flexibility and usability in diverse application environments.

How does this change affect the user experience?

Users can now configure OIDC authentication without requiring a client secret:

Before:

vault write auth/jwt/config \
    oidc_discovery_url="https://provider.com" \
    oidc_client_id="abc" \
    oidc_client_secret="secret"  # Required

After:

vault write auth/jwt/config \
    oidc_discovery_url="https://provider.com" \
    oidc_client_id="abc"  # Secret is optional

Design of Change

How was this change implemented?
Modified configuration validation in path_config.go to make oidc_client_secret optional when oidc_client_id is provided. Key changes:

• Relaxed validation to allow oidc_client_id without oidc_client_secret
• Updated authType() to recognize OIDC flow with client_id only
• Modified provider creation to handle empty secrets and enable PKCE
• Added test coverage for public client configuration
• Updated documentation and field descriptions
  The existing OIDC provider library automatically uses PKCE when no client secret is provided, securing the token exchange without requiring a shared secret.

Related Issues/Pull Requests

• Issue #116

Contributor Checklist

• Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
  doc: update oidc docs with support for pkce web-unified-docs#1611
• Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

=== RUN   TestConfig_OIDC_Write
--- PASS: TestConfig_OIDC_Write (0.55s)
=== RUN   TestConfig_OIDC_Write_ProviderConfig
--- PASS: TestConfig_OIDC_Write_ProviderConfig (0.15s)
PASS
ok      github.com/hashicorp/vault-plugin-auth-jwt      1.322s

• Backwards compatible
  This change is fully backwards compatible. Existing configurations with client secrets continue to work unchanged. The change only relaxes validation to make client_secret optional.

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[13bscsaamjad]

@fairclothjm @jaireddjawed @keeefer
Picked your tags from the latest merges 😊

Can you please help me get this one merged? How do I get the permissions for the Jira Sync check?

[13bscsaamjad]

@abbyck if you can help getting this one merged please?