diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go
index 029a897c..e6fa0787 100644
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@@ -541,7 +541,7 @@ func CodeExchangeHandler[C oidc.IDClaims](callback CodeExchangeCallback[C], rp R
 			rp.CookieHandler().DeleteCookie(w, pkceCode)
 		}
 		if rp.Signer() != nil {
-			assertion, err := client.SignedJWTProfileAssertion(rp.OAuthConfig().ClientID, []string{rp.Issuer()}, time.Hour, rp.Signer())
+			assertion, err := client.SignedJWTProfileAssertion(rp.OAuthConfig().ClientID, []string{rp.Issuer(), rp.OAuthConfig().Endpoint.TokenURL}, time.Hour, rp.Signer())
 			if err != nil {
 				unauthorizedError(w, r, "failed to build assertion: "+err.Error(), state, rp)
 				return
diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go
index f3b2ec47..dadb2058 100644
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@@ -72,10 +72,10 @@ type AccessTokenRequest struct {
 	Code                string `schema:"code"`
 	RedirectURI         string `schema:"redirect_uri"`
 	ClientID            string `schema:"client_id"`
-	ClientSecret        string `schema:"client_secret"`
-	CodeVerifier        string `schema:"code_verifier"`
-	ClientAssertion     string `schema:"client_assertion"`
-	ClientAssertionType string `schema:"client_assertion_type"`
+	ClientSecret        string `schema:"client_secret,omitempty"`
+	CodeVerifier        string `schema:"code_verifier,omitempty"`
+	ClientAssertion     string `schema:"client_assertion,omitempty"`
+	ClientAssertionType string `schema:"client_assertion_type,omitempty"`
 }
 
 func (a *AccessTokenRequest) GrantType() GrantType {