[GH-ISSUE #5935] Support for client assertions (private_key_jwt) #10380

New Issue

GiteaMirror · 2026-04-13T06:29:13-05:00

GiteaMirror commented

2026-04-13 06:29:13 -05:00

Originally created by @EnzoAlbornoz on GitHub (Nov 12, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5935

Originally assigned to: @gustavovalverde, @Paola3stefania on GitHub.

Is this suited for github?

Yes, this is suited for github

RFC 7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants introduced a new authentication type, private_key_jwt. This method is used by providers like Okta and is recommended for financial-grade APIs due to the increased security it provides with asymmetric keys.

Describe the solution you'd like

Include a new token authorization type called private_key_jwt (or pk as a shorthand) for validating authorization codes.

Describe alternatives you've considered

Using client secret: Financial-grade APIs are recommended to use private_key_jwt due to asymmetric key security features, so switching to it shouldn't be encouraged.
Rolling my own auth: Well, this is hard, isn't it 🥲?

Additional context

No response

Originally created by @EnzoAlbornoz on GitHub (Nov 12, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5935 Originally assigned to: @gustavovalverde, @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. RFC 7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants introduced a new authentication type, private_key_jwt. This method is used by providers like Okta and is recommended for financial-grade APIs due to the increased security it provides with asymmetric keys. ### Describe the solution you'd like Include a new token authorization type called `private_key_jwt` (or `pk` as a shorthand) for validating authorization codes. ### Describe alternatives you've considered - Using client secret: Financial-grade APIs are recommended to use private_key_jwt due to asymmetric key security features, so switching to it shouldn't be encouraged. - Rolling my own auth: Well, this is hard, isn't it 🥲? ### Additional context _No response_

GiteaMirror added the oauth identity labels 2026-04-13 06:29:13 -05:00

GiteaMirror commented

2026-04-13 06:29:14 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 12, 2025):

(tag @better-auth-agent if you would like an answer from the Agent)

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 12, 2025): (tag @better-auth-agent if you would like an answer from the Agent)  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 06:29:15 -05:00

@rovertrack commented on GitHub (Nov 14, 2025):

@better-auth-agent elaborate

@rovertrack commented on GitHub (Nov 14, 2025): @better-auth-agent elaborate

GiteaMirror commented

2026-04-13 06:29:15 -05:00

@better-auth-agent[bot] commented on GitHub (Nov 14, 2025):

Thanks for your input on supporting client assertions with private_key_jwt. We understand that using asymmetric key security per RFC 7521 is particularly important for financial-grade APIs, and we’re actively evaluating how to incorporate a new token authorization type (or shorthand “pk”) into our framework to handle validation of authorization codes more securely [1]. Currently, better-auth relies on client secret–based methods, but we appreciate the suggestion to move toward a more robust, asymmetric approach.

Our next steps include reviewing the necessary standards and implementation details to ensure any changes remain backward compatible while enhancing security. In the meantime, could you please share any specific scenarios or requirements you’re encountering with your integration? Tag @bekacru or @ping__ if you’d like more in-depth insight from our team.

tag @better-auth-agent if you would like an answer from the Agent

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Nov 14, 2025): Thanks for your input on supporting client assertions with private_key_jwt. We understand that using asymmetric key security per RFC 7521 is particularly important for financial-grade APIs, and we’re actively evaluating how to incorporate a new token authorization type (or shorthand “pk”) into our framework to handle validation of authorization codes more securely [[1]](https://github.com/better-auth/better-auth/issues/2000). Currently, better-auth relies on client secret–based methods, but we appreciate the suggestion to move toward a more robust, asymmetric approach. Our next steps include reviewing the necessary standards and implementation details to ensure any changes remain backward compatible while enhancing security. In the meantime, could you please share any specific scenarios or requirements you’re encountering with your integration? Tag @bekacru or @ping__ if you’d like more in-depth insight from our team. tag @better-auth-agent if you would like an answer from the Agent  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 06:29:16 -05:00

@mattss-madetech commented on GitHub (Nov 14, 2025):

I'm also interested in this feature, as I'm currently working on a project to integrate our Better Auth installation with the GOV.UK One Login service, a central authentication provider used across a number of UK government services.

At the moment we are only using it for authentication, which means we can temporarily use client_secret. However if we want to take advantage of their identity proving features in future, they require the additional security protections provided by private_key_jwt.

More details on GOV.UK One Login:

@mattss-madetech commented on GitHub (Nov 14, 2025): I'm also interested in this feature, as I'm currently working on a project to integrate our Better Auth installation with the GOV.UK One Login service, a central authentication provider used across a number of UK government services. At the moment we are only using it for authentication, which means we can temporarily use `client_secret`. However if we want to take advantage of their identity proving features in future, they require the additional security protections provided by `private_key_jwt`. More details on GOV.UK One Login: * https://www.sign-in.service.gov.uk * https://docs.sign-in.service.gov.uk/before-integrating/integrating-third-party-platform/#set-up-client-secret-using-client-secret-post

GiteaMirror commented

2026-04-13 06:29:16 -05:00

@rovertrack commented on GitHub (Nov 14, 2025):

@himself65 can we do this?

@rovertrack commented on GitHub (Nov 14, 2025): @himself65 can we do this?

GiteaMirror commented

2026-04-13 06:29:17 -05:00

@EnzoAlbornoz commented on GitHub (Nov 17, 2025):

Additional Docs here

Basically, instead of sending a client secret in the body, you would send a signed JWT that would be verified by the provider using your public key.

@EnzoAlbornoz commented on GitHub (Nov 17, 2025): Additional Docs [here](https://oauth.net/private-key-jwt/) Basically, instead of sending a client secret in the body, you would send a signed JWT that would be verified by the provider using your public key.

GiteaMirror commented

2026-04-13 06:29:18 -05:00

@EnzoAlbornoz commented on GitHub (Nov 19, 2025):

I've built a prototype of the client assertion in the SSO plugin. I needed to convert two functions from sync to async because jose handles JWT signing asynchronously.

I know there's still a lot to do, but I was able to make it work with Okta, so at least it works on the happy path.

@EnzoAlbornoz commented on GitHub (Nov 19, 2025): [I've built a prototype of the client assertion in the SSO plugin](https://github.com/better-auth/better-auth/pull/6091). I needed to convert two functions from sync to async because `jose` handles JWT signing asynchronously. I know there's still a lot to do, but I was able to make it work with Okta, so at least it works on the happy path.

GiteaMirror commented

2026-04-13 06:29:19 -05:00

@EnzoAlbornoz commented on GitHub (Nov 19, 2025):

Regarding #6053, it doesn't handle the use case I had in mind when I created this issue. This issue is more about the sso plugin than the oidc-provider

@EnzoAlbornoz commented on GitHub (Nov 19, 2025): Regarding #6053, it doesn't handle the use case I had in mind when I created this issue. This issue is more about the sso plugin than the oidc-provider

GiteaMirror commented

2026-04-13 06:29:20 -05:00

@dosubot[bot] commented on GitHub (Feb 18, 2026):

Hi, @EnzoAlbornoz. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary

You requested support for the private_key_jwt client assertion method to enhance OAuth 2.0 client authentication security, particularly for financial-grade APIs like Okta.
The maintainers recognize the importance and are considering how to integrate this asymmetric key approach while maintaining backward compatibility.
You shared a working prototype implementation in the SSO plugin for Okta.
Other users, such as mattss-madetech, have shown interest due to GOV.UK One Login requirements.
The ongoing discussion is focused on the SSO plugin rather than the oidc-provider.

Next Steps

Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open.
If I do not hear back within 7 days, this issue will be automatically closed.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 18, 2026): Hi, @EnzoAlbornoz. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary** - You requested support for the private_key_jwt client assertion method to enhance OAuth 2.0 client authentication security, particularly for financial-grade APIs like Okta. - The maintainers recognize the importance and are considering how to integrate this asymmetric key approach while maintaining backward compatibility. - You shared a working prototype implementation in the SSO plugin for Okta. - Other users, such as mattss-madetech, have shown interest due to GOV.UK One Login requirements. - The ongoing discussion is focused on the SSO plugin rather than the oidc-provider. **Next Steps** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here to keep the discussion open. - If I do not hear back within 7 days, this issue will be automatically closed. Thank you for your understanding and contribution!

GiteaMirror commented

2026-04-13 06:29:22 -05:00

@Bekacru commented on GitHub (Feb 18, 2026):

@Paola3stefania

@Bekacru commented on GitHub (Feb 18, 2026): @Paola3stefania

GiteaMirror commented

2026-04-13 06:29:23 -05:00

@gustavovalverde commented on GitHub (Mar 31, 2026):

@EnzoAlbornoz @mattss-madetech can you have a look at:

https://github.com/better-auth/better-auth/pull/8836

This wasn't a trivial addition, so if you're able to test that branch I'd appreciate it

@gustavovalverde commented on GitHub (Mar 31, 2026): @EnzoAlbornoz @mattss-madetech can you have a look at: - https://github.com/better-auth/better-auth/pull/8836 This wasn't a trivial addition, so if you're able to test that branch I'd appreciate it

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#10380