Support PRIVATE_KEY authorization mode with external JWT signing

[clementdenis]

Describe the feature request?

Currently, PRIVATE_KEY authorization mode requires a private key to be provided to the SDK.

However, it would be technically possible to perform the JWT token signature without a private key stored locally, for example by using a KMS from a Cloud provider. This would increase the overall security of the application, as the private key would never be available.

This is not possible at the moment, as there's no way to replace the default AccessTokenRetrieverServiceImpl with a custom implementation: https://github.com/okta/okta-sdk-java/blob/15dfcd46a35b3d1be3c62730565dbb0b2f46a5f5/impl/src/main/java/com/okta/sdk/impl/client/DefaultClientBuilder.java#L379-L385

Ideally, some configuration would be available to provide a custom implementation for createSignedJWT: https://github.com/okta/okta-sdk-java/blob/70728241e104c8473b318298ecff07c81db768bf/impl/src/main/java/com/okta/sdk/impl/oauth2/AccessTokenRetrieverServiceImpl.java#L139

New or Affected Resource(s)

N/A

Provide a documentation link

https://developer.okta.com/docs/reference/api/oidc/#jwt-with-private-key

Additional Information?

No response

[arvindkrishnakumar-okta]

Thanks for posting!

We'll get this reviewed internally and triage.

[clementdenis]

I've implemented a working solution here: https://github.com/okta/okta-sdk-java/compare/master...clementdenis:okta-sdk-java:external_jwt_signing

It's a bit hacky, as it overrides jjwt's DefaultJwtBuilder to provide a custom JWT signer: https://github.com/clementdenis/okta-sdk-java/blob/8991e68bced31d99d3b69be23618db27d2f36560/impl/src/main/java/com/okta/sdk/impl/oauth2/AccessTokenRetrieverServiceImpl.java#L146-L151

The best solution would probably be to replace the jjwt library with another one supporting JWT and non-local signing (I've already done this with Auth0's java-jwt library).