There are parts missing from the documentation step-by-step and customers are finding it difficult to get this working.
We mention what the client_assertion JWT should contain
We don't mention that we need to:
- set Token Endpoint Authentication Method to private_key_jwt (this seems to work for both symmetric and asymmetric algorithms set in Token Endpoint Authentication Signing Algorithm)
- set Token Endpoint Authentication Signing Algorithm accordingly, depending on how the client_assertion is signed
IF using a public/private key pair, we also need to mention the need to set Public Key Selector appropriately (it's not always Client JWT Bearer Public Key):
- If verifying using a certificate, set it to X509 and set certificate in Client JWT Bearer Public Key
- If set to JWKs URI, add the URI to Json Web Key URI
- If set to JWKs, add JWK set to Json Web Key
IF using HS256, JWT needs to be signed by the client_secret I believe (like client_secret_jwt in the spec) so we should mention this.
If we could also provide some full example requests/responses, that would help too.