Configure Login.gov OIDC with private_key_jwt client authentication and IAL/AAL acr_values

Verified steps

1. Register your service in the Login.gov sandbox dashboard and upload your RSA public key (JWKS endpoint or raw PEM); record the assigned client_id.
2. Build the authorization request to /openid_connect/authorize with acr_values such as urn:acr.login.gov:verified-facial-match-preferred for IAL2-equivalent identity proofing or urn:acr.login.gov:auth-only for authentication-only, plus scope openid email, and a nonce and state.
3. At the token endpoint, construct the client_assertion JWT with claims iss=client_id, sub=client_id, aud=token endpoint URL, jti (unique per request), and exp; set client_assertion_type to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
4. Exchange the authorization code for tokens by POSTing to /openid_connect/token with grant_type=authorization_code, code, client_assertion, and client_assertion_type.
5. Retrieve user attributes by calling /openid_connect/userinfo with the access token as a Bearer header; the returned claims include verified_at and ial when identity verification was requested.
6. Validate the id_token signature against Login.gov's published JWKS, check iss matches https://idp.int.identitysandbox.gov (sandbox) or https://secure.login.gov (production), confirm aud is your client_id, and verify nonce.