Some identity providers support OAuth client authentication using the private_key_jwt
authentication method. This means you invoke the oauth token endpoint with a JWT that is signed using a private key and a client_assertion_type
set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer
. They identity provider than validates the token using the public key and issues an access token.
In the setup at the identity provider you have to create an OAuth client, set it up to use private_key_jwt
as the authentication method and supply a URL to the JWKS (JSON Web Key Set) that contain the public key(s). This makes this flow very easy to implement with a Google service account since Google publicly hosts the JWKS for each service account at https://www.googleapis.com/service_accounts/v1/jwk/SERVICE_ACCOUNT_EMAIL
. Having the identity provider fetch the JWKS from a public endpoint adds security as it allows for frequent service account key rotation at the side of Google without the need to reconfiger the i