Well this is interesting.  I started digging into the %SYS.OAuth2.Request.MakeRequestJWT code and saw the following:

I would think keyalg should be set to null when keyalg="none" rather than encalg.

I'm running v2019.1, perhaps this has been fixed in a later version.

Hi Dmitriy, after following what you did to generate a JWT, I was unsuccessful.  When making the call to MakeRequestJWT, the value I receive in tSC is

"0"_$lb($lb(8894,"none","",,,,,,,$lb(,"%SYS",$lb("e^zObjectToJWT+7^%OAuth2.JWT.1^1","e^zMakeRequestJWT+46^%SYS.OAuth2.Request.1^1","e^^^0"))))/* ERROR #8894: Invalid algorithm combination.  keyalg:none, encalg:. */

Seems to point to a problem with the client configuration.  I was successfully able to create the X509 credentials and there's not much to the OAuth Client 2.0 Server description, but there seems to be so many different combinations of values in the client config...I will continue to plug away to see if I can get a win here.  Thanks again for your help!

Thank you Dmitriy, I very much appreciate the detailed response!  I'll attempt to apply this in my environment and let you know how it goes.
 

Hey Dmitriy, thanks for the reply.  Here's ultimately what I'll use https://developers.google.com/admin-sdk/directory/v1/reference/users/update which won't be a problem (I think) once I get the access token from google.  I'm attempting to use a service account, and here are the steps that need to be achieved in order to do that (according to google documentation in this link https://developers.google.com/identity/protocols/oauth2/service-account):

After you obtain the client ID and private key from the API Console, your application needs to complete the following steps:

1. Create a JSON Web Token (JWT, pronounced, "jot") which includes a header, a claim set, and a signature.
2. Request an access token from the Google OAuth 2.0 Authorization Server.
3. Handle the JSON response that the Authorization Server returns.

So it is step 1 that I'm trying to accomplish.

Thanks,

Brian