Add support for client assertions in the OAuth 2 plugin

[DavideBecker]

This PR adds support for client assertions in the OAuth 2 plugin. As an alternative to sending a static client_secret, this allows to send a client_assertion that is a signed JWT.

Full disclaimer: I've only tried this with a single algorithm + secret + auth provider combination, since that's the only one I currently have access to. After I had a working version with my testcase I asked Claude Opus 4.6 to add functionality that matches the RFC spec. This mostly added support for other secret types (HMAC & PEM):

  if (isHmac) {
    // HMAC algorithms use the raw secret (string or Buffer)
    signingKey = secret;
  } else if (trimmed.startsWith('{')) {
    // Looks like JSON - treat as JWK. There is surely a better way to detect JWK vs a raw secret, but this should work in most cases.
    let jwk: any;
    try {
      jwk = JSON.parse(trimmed);
    } catch {
      throw new Error('Client Assertion secret looks like JSON but is not valid');
    }

    kid = jwk.kid;
    signingKey = createPrivateKey({ key: jwk, format: 'jwk' });
  } else if (trimmed.startsWith('-----')) {
    // PEM-encoded key
    signingKey = createPrivateKey({ key: trimmed, format: 'pem' });
  } else {
    throw new Error(
      'Client Assertion secret must be a JWK JSON object, a PEM-encoded key ' +
        '(starting with -----), or a raw secret for HMAC algorithms.',
    );
  }

However, this part is untested. I also don't have an OAuth provider with basic client_id / client_secret combination at hand right now. I was careful to keep the existing functionality the same, I would appreciate someone testing this first to be sure.

I also noticed when running npm run format that it changed a few lines I did not touch.

Closes https://yaak.app/feedback/posts/support-for-oauth-2-client-assertions-jwks

[gschier]

Amazing! Thanks for doing this. I'm okay with the untested code. I did some research with Claude and it seems to be correct 👍🏻