@spec assertion_type() :: String.t()

Returns the client assertion type URI.

@spec build_assertion(keyword()) :: {:ok, String.t()} | {:error, term()}

Builds a JWT client assertion for token endpoint authentication.

Options

• :client_id (required) - The client identifier
• :token_endpoint (required) - The token endpoint URL (used as audience)
• :private_key (required) - JWK private key for signing
• :alg - Signing algorithm (default: "RS256")
• :kid - Key ID to include in header
• :lifetime - Assertion lifetime in seconds (default: 300)
• :additional_claims - Extra claims to include

@spec build_assertion_params(keyword()) :: {:ok, keyword()} | {:error, term()}

Builds form parameters for JWT client authentication at the token endpoint.

Returns a keyword list with client_assertion_type, client_assertion, and client_id ready to be merged into the token request body.

Accepts the same options as build_assertion/1.

@spec verify_assertion(String.t(), String.t(), keyword()) ::
  {:ok, map()} | {:error, term()}

Server-side: Verifies an incoming client assertion.

Parameters

• assertion - The JWT assertion string
• expected_client_id - The expected client ID (must match iss and sub)
• opts - Verification options:
  • :token_endpoint (required) - The token endpoint URL (expected audience)
  • :client_jwks - List of JWKs for the client, or a single JWK
  • :jwks_uri - URL to fetch client JWKS from
  • :max_lifetime - Maximum allowed assertion lifetime (default: 600)