Build Identity Assertion JWT Authorization Grant assertions (ID-JAG / EMA).
This is the client-side mirror of Attesto.IdentityAssertion.verify/3: the
client constructs a short-lived JWT bearer grant assertion and the
authorization server verifies it against a trusted issuer JWKS. The assertion
is presented to the token endpoint as the RFC 7523 §4 JWT-bearer grant
(grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer, assertion=<jwt>).
The JOSE header typ is fixed to "oauth-id-jag+jwt", matching attesto's
verifier. The required claim set is the draft's ID-JAG set:
iss- trusted identity-assertion issuer.sub- asserted user subject.aud- resource authorization server issuer.client_id- client presenting the assertion.jti- unique assertion identifier.iat/exp- short validity window.
Extra string-keyed claims may be added for deployment-specific identity data
(scope, email, tenant claims, etc.) as long as they do not collide with the
registered claims above.
Summary
Functions
Build a signed ID-JAG assertion, returning {:ok, compact_jws} or
{:error, reason}.
Types
@type build_opt() :: {:issuer, String.t()} | {:audience, String.t()} | {:client_id, String.t()} | {:subject, String.t()} | {:claims, %{optional(String.t()) => term()}} | {:alg, String.t()} | {:kid, String.t()} | {:lifetime, pos_integer()} | {:now, non_neg_integer()} | {:jti, String.t()} | {:nbf, non_neg_integer()}
@type error() :: :invalid_key | :invalid_issuer | :invalid_audience | :invalid_client_id | :invalid_subject | :invalid_claims | :reserved_claim_conflict | :invalid_lifetime | :invalid_time | :invalid_jti | :unsupported_alg | :unsupported_key | {:signing_failed, String.t()}
@type jwk() :: JOSE.JWK.t() | map()
Functions
Build a signed ID-JAG assertion, returning {:ok, compact_jws} or
{:error, reason}.
Required options: :issuer, :audience, :client_id, and :subject.
Optional :claims must be a string-keyed map and cannot collide with the
registered ID-JAG claims.