I've now been able to confirm that it's two parameters, not three. Google's documentation seems to be correct insofar as it names those two parameters (grant_type
and assertion
) but wrong insofar as it refers to them as three parameters.
Evidence for two parameters comes from a current Internet-Draft (JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0), which defines an extension grant type under RFC 6749 (The OAuth 2.0 Authorization Framework).
Evidence also consists of having tried a verbatim access token obtained by the Google APIs client library (and revealed by logging) inside my (non-Java) implementation: use of this access token has made the invalid_grant
error go away.
(There now evidently a problem about forming a SHA256withRSA signature left in my code, but that's another issue ...)