Hello, I am a bit stuck here and chatbot is reaching its limit. I am discovering the system, and I am testing to Get An Access Token by providing Google credential by using API only. I am following this doc I am using the following Http call:

curl -X POST "<https://myslug.projects.oryapis.com/oauth2/token>" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" -d "scope=read" -d "assertion=Google idToken"

But every call I make fail with:

"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body."

There is an additional thing I do not understand (most likely both are linked) Doc also state that I need to establish trust relationship by providing the Issuer (here "https://accounts.google.com) and the jwk. But why do I need to provide JWK? Is not the purpose of JWT is to dynamically provide the key id? If/when google will update its key id, do I need to re establish a new trust?

The token provides the key ID, but how would we know where to look up that key? Also, we don't automatically "trust" any provider, not even google, so you have full control over what tokens can be used.

Thanks! I understand we can want to create a trusted list of OIDC provider, other I could just make any dummy provider to login. However, why providing the pub key to the trust? If I am not mistaken, the key are always available under the .well-known API and can be dynamically found by the system. Did I miss something?

JWK discovery is currently not supported, but it would in general be possible.

Got it, thanks!