feat: add JWT client assertion OAuth2 support

[ItalyPaleAle]

☕️ Reasoning

This is based on RFC 7523

It allows configuring an OAuth2 provider with a clientAssertionProvider instead of a clientSecret, so omitting long-lived credentials.

This PR is currently not concerned with what providers support (or will support) client assertions. It is also not concerned with how the assertion is obtained: could be a Kubernetes token, a token from a cloud platform, etc.

For example, for an application running on Vercel and authenticating with Entra ID, you can now configure next-auth with:

import { getVercelOidcToken } from '@vercel/oidc'

export const authConfig = {
  providers: [
    MicrosoftEntraID({
      clientId: process.env.AZURE_AD_CLIENT_ID!,
      issuer: `https://login.microsoftonline.com/${process.env.AZURE_AD_TENANT_ID!}/v2.0`,
      clientAssertionProvider: async (): Promise<string> => {
        return getVercelOidcToken()
      },
    }),
  ],
}

You then just need to configure your application in the Azure portal to accept federation with these values:

• Issuer: https://oidc.vercel.com/<vercel-team>
• Audience: https://vercel.com/<vercel-team>
• Subject: owner:<vercel-team>:project:<project-name>:environment:production

🧢 Checklist

• Documentation
• Tests
• Ready to be merged

🎫 Affected issues

N/A

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-docs	Ready	Preview, Comment	Apr 22, 2026 4:14pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
next-auth-docs	Ignored	Preview	Apr 22, 2026 4:14pm

[vercel]

@ItalyPaleAle is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.