Support `private_key_jwt` client authentication method

[mooreds]

Support alternate methods for client authentication

Problem

Currently we support client_secret_basic and none as client authentication methods.

There are others outlined here: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

I'm especially interested in supporting private_key_jwt because that is one of the best ways to secure the OAuth flow in a mobile application (because the private key is stored in an HSM separated from the rest of the mobile OS, and thus much less susceptible to takeover).

Solution

Implement the private_key_jwt client authentication method.

Alternatives/workarounds

A clear and concise description of any alternative solutions or workarounds you've considered.

Additional context

Note that this implies support for https://datatracker.ietf.org/doc/html/rfc7523 and the ability of a client to have an associated public key. Probably pairs nicely with #1125

Auth0 supports this method: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt and we've had some clients request it.

See also https://openid.net/notice-of-a-security-vulnerability/ which indicates possible vulnerabilities and workarounds for using this method of client authentication and https://inversoft.slack.com/archives/C01UB1DE9DG/p1746468788808049 which has further discussion.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.