Yes, but, generating the JWT from the gateway, which apparently stores it only in a context variable, doesn't make a lot of sense to me. How do I get it to the client? How do I authenticate the client? It doesn't make any sense to me that a client connects, I generate the JWT and send it to them, then they send it back to my token endpoint. That accomplishes nothing. Any client could do it.
Let me back up a bit and explain how I understand the flow to work per specification, which seems to be what is implemented in the example from Salesforce. (Which is only and example of what we are trying to do, we're not involving Salesforce in the exchange or anything like that.)
1. The client possesses the JWT. Doesn't really matter where it came from as long as it is valid in format and content.
2. The client signs the JWT with their private key. Optionally they encrypt it.
3. The client sends the JWT to the token endpoint which interprets the signature based on a certificate that has been previously registered with the token endpoint. If it can validate the signature, it knows it must have come from the holder of the private key. Typical SSL type behavior.
4. The token endpoint issues the access token.
Your scenario would seem to be described as follows (please correct where necessary).
1. The client connects to the gateway, outside of OTK, and the gateway generates a JWT for them. I assume it signs or encrypts it.
2. The gateway sends the JWT to the client, which in turns sends it back to the token endpoint.
3. The token endpoint issues the access token because it can recognize the JWT. How it recognizes it I don't know because it was only stored in a context variable, which is now gone. I'm told the architect investigated and said the OTK looks it up in the database, but we don't know how it's supposed to get there.
I don't know how that latter scenario will work because any client could do it, which is what we are trying to avoid. It would seem we need some out of band process that will "register" the JWT to a specific client, then validate it with that client's certificate.