id_token_as_jwt_bearer_assertion.rb

require 'rack/oauth2'
require 'json/jwt'
require 'webmock'

Rack::OAuth2.debug!

include WebMock::API
WebMock.disable_net_connect!

id_token = JSON::JWT.new(
  iss: 'https://as.example.com',
  sub: 'nov',
  aud: ['rp.example.com#ios', 'rp.example.com#backend'],
  azp: 'rp.example.com#ios',
  cnf: {code_challange: 'pkce-verifier-hash', code_challange_method: 'S256'},
  nonce: 'rp-generated-nonce',
  jti: 'server-generated-jwt-token-id', # NOTE: used for onetime-use restriction
  scp: ['offline_access', 'email', 'profile', 'calendar#read', 'inbox#read'],
  iat: Time.now,
  exp: 3.minutes.from_now
).sign OpenSSL::PKey::RSA.generate(2048), :RS256

puts JSON.pretty_generate(id_token.as_json)

client = Rack::OAuth2::Client.new(
  identifier: 'rp.example.com#backend',
  secret: 'super-duper-safety-secret',
  token_endpoint: 'https://as.example.com/tokens'
)

stub_request(:post, client.token_endpoint).to_return(
  body: {
    token_type: 'bearer',
    access_token: 'access_token',
    refresh_token: 'refresh_token'
  }.to_json
)

client.jwt_bearer = id_token
token = client.access_token!(
  code_verifier: 'pkce-verifier' # NOTE: won't be available for main window in replay mode, probably optional.
)
puts JSON.pretty_generate(token.raw_attributes)