Support for client assertions (private_key_jwt)

[EnzoAlbornoz]

Is this suited for github?

• Yes, this is suited for github

Is your feature request related to a problem? Please describe.

RFC 7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants introduced a new authentication type, private_key_jwt. This method is used by providers like Okta and is recommended for financial-grade APIs due to the increased security it provides with asymmetric keys.

Describe the solution you'd like

Include a new token authorization type called private_key_jwt (or pk as a shorthand) for validating authorization codes.

Describe alternatives you've considered

• Using client secret: Financial-grade APIs are recommended to use private_key_jwt due to asymmetric key security features, so switching to it shouldn't be encouraged.
• Rolling my own auth: Well, this is hard, isn't it 🥲?

Additional context

No response

[better-auth-agent]

(tag @better-auth-agent if you would like an answer from the Agent)

Diagram • Discord • GitHub

[rovertrack]

@better-auth-agent elaborate

[better-auth-agent]

Thanks for your input on supporting client assertions with private_key_jwt. We understand that using asymmetric key security per RFC 7521 is particularly important for financial-grade APIs, and we’re actively evaluating how to incorporate a new token authorization type (or shorthand “pk”) into our framework to handle validation of authorization codes more securely [1]. Currently, better-auth relies on client secret–based methods, but we appreciate the suggestion to move toward a more robust, asymmetric approach.

Our next steps include reviewing the necessary standards and implementation details to ensure any changes remain backward compatible while enhancing security. In the meantime, could you please share any specific scenarios or requirements you’re encountering with your integration? Tag @Bekacru or @ping__ if you’d like more in-depth insight from our team.

tag @better-auth-agent if you would like an answer from the Agent

Diagram • Discord • GitHub

[mattss-madetech]

I'm also interested in this feature, as I'm currently working on a project to integrate our Better Auth installation with the GOV.UK One Login service, a central authentication provider used across a number of UK government services.

At the moment we are only using it for authentication, which means we can temporarily use client_secret. However if we want to take advantage of their identity proving features in future, they require the additional security protections provided by private_key_jwt.

More details on GOV.UK One Login:

• https://www.sign-in.service.gov.uk
• https://docs.sign-in.service.gov.uk/before-integrating/integrating-third-party-platform/#set-up-client-secret-using-client-secret-post

[rovertrack]

@himself65 can we do this?

[EnzoAlbornoz]

Additional Docs here

Basically, instead of sending a client secret in the body, you would send a signed JWT that would be verified by the provider using your public key.

[EnzoAlbornoz]

I've built a prototype of the client assertion in the SSO plugin. I needed to convert two functions from sync to async because jose handles JWT signing asynchronously.

I know there's still a lot to do, but I was able to make it work with Okta, so at least it works on the happy path.

[EnzoAlbornoz]

Regarding #6053, it doesn't handle the use case I had in mind when I created this issue. This issue is more about the sso plugin than the oidc-provider

[dosubot]

Hi, @EnzoAlbornoz. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

• You requested support for the private_key_jwt client assertion method to enhance OAuth 2.0 client authentication security, particularly for financial-grade APIs like Okta.
• The maintainers recognize the importance and are considering how to integrate this asymmetric key approach while maintaining backward compatibility.
• You shared a working prototype implementation in the SSO plugin for Okta.
• Other users, such as mattss-madetech, have shown interest due to GOV.UK One Login requirements.
• The ongoing discussion is focused on the SSO plugin rather than the oidc-provider.

Next Steps

• Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
• If I do not hear back within 7 days, this issue will be automatically closed.

Thank you for your understanding and contribution!

[Bekacru]

@Paola3stefania