FPSSO: Encrypt passwords "on the wire"

[JordanMontgomery]

Related issue: Resolves #

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

Summary by CodeRabbit

• New Features

  • Added secure password encryption support for Platform SSO logins on macOS Fleet desktop.
  • PSSO JWKS endpoint now publishes encryption public key alongside signing key.

• Tests

  • Added coverage for password encryption and decryption flows.

• Chores

  • Implemented automated encryption key generation and management for Platform SSO.

[codecov]

Codecov Report

❌ Patch coverage is 59.34959% with 50 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.09%. Comparing base (3d23269) to head (a3c5b9b).

Files with missing lines	Patch %	Lines
ee/server/service/apple_psso.go	51.61%	21 Missing and 9 partials ⚠️
ee/server/service/apple_psso_crypto.go	65.85%	7 Missing and 7 partials ⚠️
server/service/apple_psso.go	70.00%	3 Missing and 3 partials ⚠️

Additional details and impacted files

@@                       Coverage Diff                        @@
##           JM-46958-psso-device-reg-token   #48048    +/-   ##
================================================================
  Coverage                           67.09%   67.09%            
================================================================
  Files                                3627     3627            
  Lines                              230299   230408   +109     
  Branches                            11787    11787            
================================================================
+ Hits                               154518   154598    +80     
- Misses                              61819    61832    +13     
- Partials                            13962    13978    +16     

Flag	Coverage Δ
backend	68.71% <59.34%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JordanMontgomery]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Copilot]

Warning

• Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.

Pull request overview

This PR adds “password encryption on the wire” for Apple Platform SSO (PSSO) by introducing a dedicated P-256 encryption key published via JWKS, updating the server to accept the encrypted embedded login assertion, and teaching the macOS extension to fetch and use the JWKS encryption key.

Changes:

• Add a new PSSO encryption key asset (in mdm_config_assets) and publish it in the PSSO JWKS alongside the signing key.
• Support encrypted password login assertions (JWE) via grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer, decrypting the embedded assertion to recover username/password.
• Update Fleet Desktop’s PSSO extension to fetch JWKS and set loginRequestEncryptionPublicKey when an enc key is available.

Reviewed changes

Copilot reviewed 11 out of 12 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/service/apple_psso.go	Bootstraps and stores a new PSSO encryption private key asset.
server/service/apple_psso_test.go	Extends bootstrap tests to cover encryption key creation/preservation.
server/fleet/mdm.go	Adds the MDMAssetPSSOEncryptionKey asset name constant.
ee/server/service/apple_psso.go	Loads/caches encryption key, publishes it in JWKS, and accepts JWT-bearer password logins with embedded assertions.
ee/server/service/apple_psso_test.go	Adds a test verifying JWKS includes both signing and encryption keys.
ee/server/service/apple_psso_crypto.go	Adds assertion claim support plus JWE decryption + embedded assertion credential parsing helpers.
ee/server/service/apple_psso_crypto_test.go	Adds tests for inbound assertion decrypt round-trip and credential parsing, plus password resolution behavior.
apps/fleet-desktop-macos/README.md	Updates docs to note /jwks returns Fleet’s PSSO public keys (plural).
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift	Makes login configuration async and sets loginRequestEncryptionPublicKey when JWKS provides an enc key.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift	Adjusts registration flow to run async configuration before completing registration.
apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift	Adds JWKS fetch + minimal JWK parsing to import a P-256 public key as SecKey.
docs/Contributing/research/mdm/psso.md	Not reviewed (content excluded by policy).

Files excluded by content exclusion policy (1)

• docs/Contributing/research/mdm/psso.md

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f5222afa-571b-496f-8fde-2cb83232295b

📥 Commits

Reviewing files that changed from the base of the PR and between 3d23269 and a3c5b9b.

⛔ Files ignored due to path filters (2)

• apps/fleet-desktop-macos/README.md is excluded by !**/*.md
• docs/Contributing/research/mdm/psso.md is excluded by !**/*.md

📒 Files selected for processing (10)

• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Networking.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+PSSO.swift
• apps/fleet-desktop-macos/FleetPSSOExtension/AuthenticationViewController+Shared.swift
• ee/server/service/apple_psso.go
• ee/server/service/apple_psso_crypto.go
• ee/server/service/apple_psso_crypto_test.go
• ee/server/service/apple_psso_test.go
• server/fleet/mdm.go
• server/service/apple_psso.go
• server/service/apple_psso_test.go

---

Walkthrough

This PR adds end-to-end PSSO (Platform SSO) password encryption support. On the server side, a new MDMAssetPSSOEncryptionKey constant is defined and bootstrapPSSOAssets is extended to generate and persist a P-256 EC private key for encryption alongside the existing signing key and CA. The PSSO service lazily loads and caches this key, and PSSOJWKS now publishes both a sig JWK and an enc JWK. The token endpoint's dispatch logic is refactored to handle RequestType before GrantType, and a new resolvePSSOLoginPassword path decrypts an inbound JWE assertion (using decryptPSSOInboundJWE and parseEmbeddedAssertionCredentials) when Password is absent. On the macOS extension side, loginRequestEncryptionKey(jwksURL:) fetches the JWKS and reconstructs the SecKey from the enc JWK, and applyLoginConfiguration is promoted to async throws to await that key and assign it to cfg.loginRequestEncryptionPublicKey.

Possibly related PRs

• fleetdm/fleet#47801: Refactors PSSOJWKS and signing-key loading in apple_psso.go, directly overlapping with this PR's changes to PSSOJWKS and the PSSO key-state caching structure.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description contains only the uncompleted checklist template with no substantive content added. No related issue is referenced, and there is no explanation of the changes, motivation, or implementation details.	Complete the PR description by adding a brief explanation of the password encryption implementation, reference the related issue number, and ensure all relevant checklist items are reviewed and checked or explicitly deleted if not applicable.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'FPSSO: Encrypt passwords "on the wire"' is fully related to the main change—implementing password encryption during transmission. It clearly summarizes the primary objective and is specific enough for teammates to understand the feature focus.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch JM-47132-encrypt-passwords

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}