feat(core): support private_key_jwt token auth method

[leemcmullen]

☕️ Reasoning

Currently there are 2 issues with NextAuth when attempting to use token_endpoint_auth_method: "private_key_jwt":

1 - There is nowhere to actually configure/use a private key which is required for this type of auth
2 - NextAuth currently does not pass the options.clientPrivateKey paramater into the underlying oauth4web library

This PR addresses both of those issues. So an example provider would end up looking like this:

    {
      id: "example-private_key_jwt-provider",
      name: "ExamplePrivateKeyJwtProvider",
      type: "oidc",
      clientId: "jwt-example-client",
      idToken: true,
      wellKnown:
        "https://auth.sandpit.example.jwt.madeupprovider.uk/.well-known/openid-configuration",
      issuer: "https://auth.sandpit.example.jwt.madeupprovider.uk",
      authorization: {
        params: {
          scope: "openid profile profile_extended",
        },
      },
      checks: [],
      client: {
        token_endpoint_auth_method: "private_key_jwt",
      },
      token: {
        clientPrivateKey: getKeyContentsFromEnv(), // fn which returns the private key
      },
    },

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 14, 2024 11:28am

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Jun 14, 2024 11:28am

[vercel]

@leemcmullen is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

[leemcmullen]

@ThangHuuVu Hey! 👋

It seems like you've been allocated as the reviewer for my PR. Just wondered what the expectation in terms of timescales to get a review is likely to be?

Thanks, Lee 👍

[balazsorban44]

Thanks! Please check my comments.

[leemcmullen]

@balazsorban44 Awesome, thanks for the comments!

I've resolved them all and had to make another tweak as a result of moving clientPrivateKey onto the provider.token prop. I had to update the normalizeEndpoint to ensure the clientPrivateKey is preserved because it was stripping it out. I noticed this method is used in some other cases too so let me know if this is ok or needs changing:

https://github.com/leemcmullen/next-auth/blob/d1dc98acfd971d1c8ed06a6fb935c0f6f632770e/packages/core/src/lib/utils/providers.ts#L158