AssertionType

  • The app supports OpenIDConnect ID tokens (ID_TOKEN) and a custom assertion type for account creation (ACCOUNT_CREATION), both based on JWTs and utilizing Google Sign-In.

  • ID_TOKEN assertions are used for standard authentication flows, including linking to existing accounts, while ACCOUNT_CREATION assertions specifically indicate new account creation intent.

  • Responses to token requests using these assertions adhere to OAuth 2.0 standards for success and error handling as outlined in RFC6749.

  • An unknown assertion type (UNKNOWN_ASSERTION_TYPE) exists for backward compatibility but is rejected by the application.

Assertion types that the app can support at the token endpoint.

Enums
UNKNOWN_ASSERTION_TYPE Unknown assertion type for backwards compatability. Rejected.
ID_TOKEN

OpenIDConnect ID token. This is JWT token with grantType set to urn:ietf:params:oauth:grant-type:jwt-bearer. This is the same token as produced by Google Sign-In libraries, and its verification is documented at https://developers.google.com/identity/sign-in/web/backend-auth. For more information on JWT tokens, see https://tools.ietf.org/html/rfc7523#section-2.1

This token will include the non-standard key-value pair intent=get when the user attempts to link to an existing account.

The response should be as per https://tools.ietf.org/html/rfc6749#section-4.1.4 in the event of success, and as per https://tools.ietf.org/html/rfc6749#section-4.2.2.1 in the event of error.
ACCOUNT_CREATION This is the same as ID_TOKEN, except that a non-standard key "intent" will be set to "create" indicating that the user is atempting to create a new account that should be associated with the Google ID in the sub field of the JWT, as with other usage of Google Sign-In. The responses are as with ID_TOKEN.