fix: rfc9068 must condition ignored in introspection

[james-d-elliott]

This fixes an outstanding TODO where the requirement for a correctly formed RFC9068 access token MUST have the media type of 'application/at+jwt', and that this media type MUST be appropriately reflected in the typ header as either 'at+jwt' (SHOULD), or as the media type itself. See https://datatracker.ietf.org/doc/html/rfc9068#section-2.1 for more information.

Related Issue or Design Document

Checklist

• [x] I have read the contributing guidelines and signed the CLA.
• [x] I have referenced an issue containing the design document if my change introduces a new feature.
• [x] I have read the security policy.
• [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
• [ ] I have added tests that prove my fix is effective or that my feature works.
• [ ] I have added the necessary documentation within the code base (if appropriate).

Further comments

[mitar]

Tests are missing.

Also, I could not find where in fosite we set type for access tokens to at+jwt? It seems to me we only set it to JWT.

[james-d-elliott]

I must have missed the tests and the change which makes the JWT Profile default to this typ when picking this out of local changes. Let me see what I have there.

[mitar]

So there is no typ for ID tokens? Have you made a test which makes sure we are not setting now this new typ for ID tokens as well?

[james-d-elliott]

So there is no typ for ID tokens? Have you made a test which makes sure we are not setting now this new typ for ID tokens as well?

This change doesn't affect that code path, just GetJWTHeader() *jwt.Headers not IDTokenHeaders() *jwt.Headers.

[mitar]

Any thoughts on how to transition this on a live system? There might be a period when old valid access tokens are returned as invalid because they have old typ?

(This is not a problem for me, but it might be for other users of fosite.)

[james-d-elliott]

I have made sure the function is exported for this reason. I think from a practical standpoint they should be considered invalid or the implementer should implement their own validator which allows both based on iat claim. i.e. tokens issued before x should be safe if they have the JWT typ. However I think it would be irresponsible for security to make this a default option, and implementers should consider all tokens absent this typ to be invalid.