Hello,
my IdP is kind of progressive and implemented RFC9068, where all access tokens
now come with typ "at+JWT".
Since the setup has used local validation, I had to switch and currently use
introspection endpoint. Looked around at the src and there seems to be
relatively simple check of the token typ checking the only fixed value of
"JWT" -- do you think you could consider tuning it a little bit so
that local validation works also with such tokens?
I am not an expert on OAuth2 so have no idea whether this is a valid request,
but think that such a token is still JWT but has the required structure per RFC,
which should not anyhow be in collision with a simple "JWT" typ.
Saying that, I would not wonder if the statement is not correct :)
Many thanks,
Tomas
