feat(auth): support private_key_jwt registration and authentication

[albertnusouo]

Summary

Adds a secretless private_key_jwt (RFC 7523) path for app registration and token acquisition, alongside the existing client_secret flow. The client holds a non-exportable private key in a platform key store and proves possession with signed JWTs, so no app secret is stored or transmitted. The auth method is gated on device capability and server support; client_secret stays the default and its behavior is unchanged.

Changes

• Pluggable signer SPI (extension/keysigner): stdlib-only Signer interface + registry; key-store backends register from init(). Ships a macOS Keychain signer behind the keychain_signer build tag (CGO + Security.framework) that imports a software-generated RSA-2048 key as non-extractable (security import -x) — note: software-level, not Secure Enclave / hardware-backed. The default build stays CGO-free with no signer registered (client_secret only).
• JWS builder (internal/auth/jwt): stdlib-only registration attestation (public key in the jwk header) and RFC 7523 client_assertion; no new module dependencies (go.mod/go.sum unchanged).
• Registration: config init --auth-method client_secret|private_key_jwt. The private_key_jwt flow runs init (server nonce + supported_auth_methods) → signed attestation → begin, persists no secret (only an opaque key handle), and honors the authoritative auth_method returned at user confirmation.
• Token endpoints: tenant token via the jwt-bearer grant + client_assertion; user device-login and token refresh substitute client_assertion for client_secret. All existing client_secret code paths are unchanged.
• Config / diagnostics: the account model carries auth_method + key handle; auth status reports a secretless private_key_jwt app as configured.

Test Plan

• Unit tests pass (make unit-test) — added coverage for the signer, JWS, registration init/begin, client-assertion, and tenant/user token paths
• golangci-lint run --new-from-rev=origin/main → 0 issues; go.mod/go.sum unchanged
• Both build configurations compile (default CGO-free, and -tags keychain_signer)
• Manual end-to-end verification against a live server with the macOS Keychain signer: registration → tenant token → user login → token refresh

Related Issues

• None

Summary by CodeRabbit

• New Features

  • private_key_jwt support: TEE-backed client assertions (no app secret stored) across init, registration, device login, token fetch, and config resolution; device flow prefers server-provided completion URLs and uses consolidated client credential handling.
  • New pluggable keysigner and JWT signing utilities; macOS keychain signer available.

• Tests

  • Expanded coverage for auth-method resolution, JWT/key signing, device flow, key signer registry, token fetch, and related flows.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds secretless private_key_jwt end-to-end: keysigner contracts and registry, JWT attestation/assertion builders, app-registration auth-method negotiation, ClientAuth device-flow wiring, assertion-based TAT/UAT flows, config persistence and interactive selection, macOS keychain signer, and comprehensive tests.

Changes

Private Key JWT — Single Cohort

Layer / File(s)

Summary

All changes (review checkpoint) cmd/..., extension/keysigner/..., internal/auth/..., internal/credential/..., internal/core/..., cmd/config/..., sidecar/...

Complete set of changes encompassing keysigner contracts and registry, macOS keychain signer, JWT builders (attestation/client assertion), ClientAuth abstraction and application, app-registration init/begin/poll auth-method handling, device-flow migration to ClientAuth with context, assertion-based TAT (FetchTATWithAssertion) and UAT refresh changes, config init --auth-method wiring and persistence, diagnostics update, sidecar caller updates, and all associated tests.

• Sequence Diagram(s): Included in the hidden review artifact above.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• larksuite/cli#235: Touches device_flow auth paths similar to RequestDeviceAuthorization/PollDeviceToken changes.
• larksuite/cli#934: Related sidecar/demo device-flow bridge updates overlapping auth bridge wiring.

Suggested labels

feature, domain/base

Suggested reviewers

• sang-neo03
• liangshuo-1
• MaxHuang22

"i am a rabbit, nibbling keys so bright,
signing tiny tokens through the night.
secrets left behind, the JWS hums true,
hop — the CLI speaks, auth flows through. 🐇"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 49.58% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(auth): support private_key_jwt registration and authentication' accurately captures the main change: adding RFC 7523 private_key_jwt support for registration and authentication.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering motivation (secretless auth with non-exportable keys), all major changes (signer SPI, JWS builder, registration flow, token endpoints, config/diagnostics), test coverage, and build validation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/app_registration_v3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@40de8a44dc4f0171ca083f182038fb8dca2e3f78

🧩 Skill update

npx skills add larksuite/cli#feat/app_registration_v3 -y -g

[codecov]

Codecov Report

❌ Patch coverage is 63.67925% with 154 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.07%. Comparing base (8e667db) to head (40de8a4).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/config/init_interactive.go	30.33%	61 Missing and 1 partial ⚠️
internal/auth/app_registration.go	71.87%	12 Missing and 6 partials ⚠️
cmd/config/init.go	56.75%	16 Missing ⚠️
internal/credential/tat_fetch.go	71.11%	7 Missing and 6 partials ⚠️
internal/auth/jwt/jwt.go	80.00%	6 Missing and 6 partials ⚠️
internal/credential/default_provider.go	0.00%	10 Missing ⚠️
internal/auth/device_flow.go	47.05%	8 Missing and 1 partial ⚠️
internal/auth/uat_client.go	33.33%	6 Missing ⚠️
extension/keysigner/keysigner.go	90.24%	3 Missing and 1 partial ⚠️
internal/auth/client_auth.go	80.95%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1379      +/-   ##
==========================================
+ Coverage   71.98%   72.07%   +0.08%     
==========================================
  Files         700      707       +7     
  Lines       66293    66888     +595     
==========================================
+ Hits        47721    48207     +486     
- Misses      14867    14944      +77     
- Partials     3705     3737      +32     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/config/init_interactive.go`:
- Around line 243-257: Add a short clarifying comment next to the init guard
that checks initResp.SupportedAuthMethods (the block starting with if
len(initResp.SupportedAuthMethods) > 0 && !slices.Contains(...)) describing that
an empty SupportedAuthMethods slice is intentionally treated as “older server /
unknown” and therefore allows the requested private_key_jwt to proceed (matching
resolveFinalAuthMethod’s back-compat behavior). Then add a unit test for
RequestAppRegistrationInit handling an empty SupportedAuthMethods array: mock
larkauth.RequestAppRegistrationInit to return SupportedAuthMethods: [] and
assert that the code path allows private_key_jwt (no rejection) and that the
comment’s documented behavior is covered; reference the init logic and
resolveFinalAuthMethod in the test to show alignment.

In `@extension/keysigner/signer_keychain_darwin.go`:
- Line 372: This file uses direct os.* filesystem calls (e.g., os.ReadFile at
the shown diff and additional uses of
ReadFile/WriteFile/Stat/MkdirAll/Remove/CreateTemp/Executable elsewhere in
signer_keychain_darwin.go) which violates the forbidigo rule; replace all these
os.X calls with the corresponding internal/vfs helpers (vfs.ReadFile,
vfs.WriteFile, vfs.Stat, vfs.MkdirAll, vfs.Remove, vfs.CreateTemp,
vfs.Executable) and import the internal/vfs package, ensuring each call site
(for example the function that reads key data where os.ReadFile(path) is used)
uses vfs.* instead; do not add a //nolint:forbidigo—migrate the calls instead to
satisfy lint/build checks.

In `@internal/auth/app_registration.go`:
- Around line 183-193: The fallback construction for verificationUriComplete
appends "?user_code=..." without handling existing query parameters; update the
logic in internal/auth/app_registration.go where verificationUriComplete is
built (variable verificationUriComplete, values verificationUri and userCode,
and ep.Open) to use the same query-joining logic as BuildVerificationURL: either
detect whether verificationUri (or base) contains a '?' and choose '?' vs '&'
accordingly, or better, construct the URL via net/url (url.URL and url.Values)
to add the user_code parameter safely so you never produce an invalid query
string when verification_uri already has parameters.

In `@internal/auth/jwt/jwt.go`:
- Around line 1-153: Add a unit test to jwt_test.go that triggers json.Marshal
failures by passing an unmarshalable value (e.g. a func or channel) in the
header or claims to exercise the error paths in buildSignedJWT; call
buildSignedJWT directly (or via SignClientAssertion/SignAttestation if you
prefer) with signer nil-check satisfied (use a stub signer) and assert the
returned error is non-nil and contains the marshal-related prefix ("jwt: marshal
header" or "jwt: marshal claims") so the test covers those failure branches.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b3a6a530-a2c3-42bb-9e6a-302a413baa72

📥 Commits

Reviewing files that changed from the base of the PR and between 7cc0b49 and dc3fe5a.

📒 Files selected for processing (30)

• cmd/auth/login.go
• cmd/auth/login_test.go
• cmd/config/config_test.go
• cmd/config/init.go
• cmd/config/init_auth_method_test.go
• cmd/config/init_interactive.go
• extension/keysigner/keysigner.go
• extension/keysigner/keysigner_test.go
• extension/keysigner/registry.go
• extension/keysigner/signer_keychain_darwin.go
• extension/keysigner/signer_keychain_darwin_test.go
• internal/auth/app_registration.go
• internal/auth/app_registration_test.go
• internal/auth/client_auth.go
• internal/auth/client_auth_test.go
• internal/auth/device_flow.go
• internal/auth/device_flow_test.go
• internal/auth/jwt/jwt.go
• internal/auth/jwt/jwt_test.go
• internal/auth/uat_client.go
• internal/auth/uat_client_options_test.go
• internal/core/config.go
• internal/core/types.go
• internal/core/types_test.go
• internal/credential/default_provider.go
• internal/credential/tat_fetch.go
• internal/credential/tat_fetch_test.go
• internal/credential/types.go
• internal/identitydiag/diagnostics.go
• sidecar/server-multi-tenant-demo/auth_bridge.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/core/config.go`:
- Around line 288-292: The resolver currently copies app.AuthMethod directly
into cfg (AuthMethod: app.AuthMethod) and only conditionally copies
app.KeyRef.ID, allowing unsupported auth methods and permitting private_key_jwt
without a key handle; update the resolution logic to validate and normalize
app.AuthMethod into cfg.AuthMethod (reject unknown values) and enforce that when
the resolved/auth method is "private_key_jwt" there is a non-nil app.KeyRef
(otherwise return an error during resolution), and add resolver unit tests
covering an invalid authMethod and the missing keyRef for private_key_jwt to
ensure failures occur at resolution time.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 387f9896-f74c-4cf0-987e-32b943a94f96

📥 Commits

Reviewing files that changed from the base of the PR and between 4d38935 and 7575d72.

📒 Files selected for processing (30)

• cmd/auth/login.go
• cmd/auth/login_test.go
• cmd/config/config_test.go
• cmd/config/init.go
• cmd/config/init_auth_method_test.go
• cmd/config/init_interactive.go
• extension/keysigner/keysigner.go
• extension/keysigner/keysigner_test.go
• extension/keysigner/registry.go
• extension/keysigner/signer_keychain_darwin.go
• extension/keysigner/signer_keychain_darwin_test.go
• internal/auth/app_registration.go
• internal/auth/app_registration_test.go
• internal/auth/client_auth.go
• internal/auth/client_auth_test.go
• internal/auth/device_flow.go
• internal/auth/device_flow_test.go
• internal/auth/jwt/jwt.go
• internal/auth/jwt/jwt_test.go
• internal/auth/uat_client.go
• internal/auth/uat_client_options_test.go
• internal/core/config.go
• internal/core/types.go
• internal/core/types_test.go
• internal/credential/default_provider.go
• internal/credential/tat_fetch.go
• internal/credential/tat_fetch_test.go
• internal/credential/types.go
• internal/identitydiag/diagnostics.go
• sidecar/server-multi-tenant-demo/auth_bridge.go

🚧 Files skipped from review as they are similar to previous changes (29)

• cmd/auth/login_test.go
• internal/core/types.go
• cmd/config/config_test.go
• sidecar/server-multi-tenant-demo/auth_bridge.go
• internal/auth/uat_client_options_test.go
• extension/keysigner/registry.go
• internal/identitydiag/diagnostics.go
• internal/credential/tat_fetch.go
• internal/auth/uat_client.go
• internal/credential/default_provider.go
• extension/keysigner/signer_keychain_darwin_test.go
• internal/auth/client_auth.go
• extension/keysigner/keysigner.go
• internal/core/types_test.go
• internal/credential/tat_fetch_test.go
• cmd/auth/login.go
• internal/auth/device_flow_test.go
• cmd/config/init_auth_method_test.go
• internal/auth/client_auth_test.go
• internal/auth/jwt/jwt.go
• internal/credential/types.go
• extension/keysigner/keysigner_test.go
• internal/auth/app_registration_test.go
• extension/keysigner/signer_keychain_darwin.go
• internal/auth/device_flow.go
• cmd/config/init_interactive.go
• internal/auth/jwt/jwt_test.go
• cmd/config/init.go
• internal/auth/app_registration.go

[coderabbitai]

🧹 Nitpick comments (2)

internal/core/config_test.go (2)

159-192: ⚡ Quick win

Strengthen error assertions for consistency.

The test correctly validates both the failure case (missing KeyRef) and the success case (with KeyRef, verifying KeyLabel derivation). However, the error assertions only check the error type. Following the existing pattern at lines 110-112, consider also asserting that cfgErr.Hint and cfgErr.Message are non-empty to ensure users receive actionable error guidance.

📋 Proposed enhancement

 	var cfgErr *ConfigError
 	if !errors.As(err, &cfgErr) {
 		t.Fatalf("expected ConfigError, got %T: %v", err, err)
 	}
+	if cfgErr.Hint == "" {
+		t.Error("expected non-empty hint in ConfigError")
+	}
 
 	// Control: same config WITH a keyRef resolves cleanly and sets KeyLabel.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/core/config_test.go` around lines 159 - 192, In
TestResolveConfigFromMulti_PrivateKeyJWTRequiresKeyRef, after asserting the
error is a ConfigError via errors.As into cfgErr, add assertions to verify
cfgErr.Hint and cfgErr.Message are non-empty (e.g., use if cfgErr.Hint == "" {
t.Fatalf(...) } and similarly for cfgErr.Message) so the failure case from
ResolveConfigFromMulti yields actionable guidance; keep the checks consistent
with the existing pattern used elsewhere (see other tests that assert
cfgErr.Hint and cfgErr.Message).

---

135-157: ⚡ Quick win

Strengthen error assertions to match existing test pattern.

The test correctly validates that an unknown AuthMethod fails with a *ConfigError, but doesn't assert any of the error's fields. The existing pattern in this file (lines 110-112 in TestResolveConfigFromMulti_RejectsSecretKeyMismatch) also checks that cfgErr.Hint is non-empty. Consider asserting on Message and Hint to ensure the error provides actionable guidance and to improve regression protection.

📋 Proposed enhancement

 	var cfgErr *ConfigError
 	if !errors.As(err, &cfgErr) {
 		t.Fatalf("expected ConfigError, got %T: %v", err, err)
 	}
+	if cfgErr.Hint == "" {
+		t.Error("expected non-empty hint in ConfigError")
+	}
+	if cfgErr.Message == "" {
+		t.Error("expected non-empty message in ConfigError")
+	}
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/core/config_test.go` around lines 135 - 157, Update
TestResolveConfigFromMulti_RejectsUnknownAuthMethod to assert the returned
*ConfigError contains actionable fields: after confirming err is a *ConfigError
(cfgErr), add checks that cfgErr.Message and cfgErr.Hint are non-empty (or
otherwise validate expected substrings about unknown AuthMethod) so the test
mirrors the pattern used in TestResolveConfigFromMulti_RejectsSecretKeyMismatch
and guards against regressions in ResolveConfigFromMulti.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/core/config_test.go`:
- Around line 159-192: In
TestResolveConfigFromMulti_PrivateKeyJWTRequiresKeyRef, after asserting the
error is a ConfigError via errors.As into cfgErr, add assertions to verify
cfgErr.Hint and cfgErr.Message are non-empty (e.g., use if cfgErr.Hint == "" {
t.Fatalf(...) } and similarly for cfgErr.Message) so the failure case from
ResolveConfigFromMulti yields actionable guidance; keep the checks consistent
with the existing pattern used elsewhere (see other tests that assert
cfgErr.Hint and cfgErr.Message).
- Around line 135-157: Update
TestResolveConfigFromMulti_RejectsUnknownAuthMethod to assert the returned
*ConfigError contains actionable fields: after confirming err is a *ConfigError
(cfgErr), add checks that cfgErr.Message and cfgErr.Hint are non-empty (or
otherwise validate expected substrings about unknown AuthMethod) so the test
mirrors the pattern used in TestResolveConfigFromMulti_RejectsSecretKeyMismatch
and guards against regressions in ResolveConfigFromMulti.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79e50d94-b61c-450a-b4a2-f0fd1aa4accf

📥 Commits

Reviewing files that changed from the base of the PR and between 29fa49f and 40de8a4.

📒 Files selected for processing (5)

• cmd/config/init_auth_method_test.go
• cmd/config/init_interactive.go
• internal/auth/app_registration_test.go
• internal/core/config.go
• internal/core/config_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• internal/core/config.go
• internal/auth/app_registration_test.go
• cmd/config/init_auth_method_test.go
• cmd/config/init_interactive.go