We have a need to provide OAuth authentication for "headless" clients, where there is no user to engage in the authorization code or similar login/consent grant types. It seems the best option is to use a Jason Web Token (JWT) and the OTK doc alludes to this being supported but I can't find any step by step instruction on how it works. The best explanation I've found so far of the general process is provided by Salesforce, for their token endpoint, and can be seen here: https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&language=pt_BR_1_1&type=0#validate_token
I'm looking to establish a similar process for the OTK. Before I go down the path of experimentation and analysis of the OTK toke endpoint policies I thought I'd ask to see if anyone out there has done this? I assume at the very least I'll have to store a certificate in an identity provider and call the endpoint with the appropriate grant type indicated.