test: add tests

handler/oauth2/introspector_jwt.go

@@ -100,6 +100,10 @@ func IsJWTProfileAccessToken(token *jwt.Token) bool {
 		ok  bool
 	)
 
+	if token == nil {
+		return false
+	}
+
 	if raw, ok = token.Header[string(jwt.JWTHeaderType)]; !ok {
 		return false
 	}

handler/oauth2/introspector_jwt_test.go

@@ -99,6 +99,23 @@ func TestIntrospectJWT(t *testing.T) {
 				return token
 			},
 		},
+		{
+			description: "should fail bad typ",
+			token: func() string {
+				jwt := jwtValidCase(fosite.AccessToken)
+
+				s := jwt.Session.(*JWTSession)
+
+				s.JWTHeader.Extra["typ"] = "JWT"
+
+				jwt.Session = s
+
+				token, _, err := strat.GenerateAccessToken(context.Background(), jwt)
+				assert.NoError(t, err)
+				return token
+			},
+			expectErr: fosite.ErrRequestUnauthorized,
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d:%v", k, c.description), func(t *testing.T) {
 			if c.scopes == nil {
@@ -142,3 +159,64 @@ func BenchmarkIntrospectJWT(b *testing.B) {
 
 	assert.NoError(b, err)
 }
+
+func TestIsJWTProfileAccessToken(t *testing.T) {
+	testCases := []struct {
+		name     string
+		have     *jwt.Token
+		expected bool
+	}{
+		{
+			"ShouldPassTypATJWT",
+			&jwt.Token{
+				Header: map[string]interface{}{
+					"typ": "at+jwt",
+				},
+			},
+			true,
+		},
+		{
+			"ShouldPassTypApplicationATJWT",
+			&jwt.Token{
+				Header: map[string]interface{}{
+					"typ": "application/at+jwt",
+				},
+			},
+			true,
+		},
+		{
+			"ShouldFailJWT",
+			&jwt.Token{
+				Header: map[string]interface{}{
+					"typ": "JWT",
+				},
+			},
+			false,
+		},
+		{
+			"ShouldFailNoValue",
+			&jwt.Token{
+				Header: map[string]interface{}{},
+			},
+			false,
+		},
+		{
+			"ShouldFailNilValue",
+			&jwt.Token{
+				Header: nil,
+			},
+			false,
+		},
+		{
+			"ShouldFailNilInput",
+			nil,
+			false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.expected, IsJWTProfileAccessToken(tc.have))
+		})
+	}
+}

handler/oauth2/strategy_jwt_session.go

@@ -40,8 +40,15 @@ func (j *JWTSession) GetJWTClaims() jwt.JWTClaimsContainer {
 
 func (j *JWTSession) GetJWTHeader() *jwt.Headers {
 	if j.JWTHeader == nil {
-		j.JWTHeader = &jwt.Headers{}
+		j.JWTHeader = &jwt.Headers{
+			Extra: map[string]interface{}{
+				"typ": "at+jwt",
+			},
+		}
+	} else if j.JWTHeader.Extra["typ"] == nil {
+		j.JWTHeader.Extra["typ"] = "at+jwt"
 	}
+
 	return j.JWTHeader
 }
 

handler/oauth2/strategy_jwt_session_test.go

@@ -0,0 +1,46 @@
+// Copyright © 2024 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth2
+
+import (
+	"github.com/ory/fosite/token/jwt"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestJWTSession_GetJWTHeader(t *testing.T) {
+	testCases := []struct {
+		name     string
+		have     *JWTSession
+		expected string
+	}{
+		{
+			"ShouldReturnDefaultTyp",
+			&JWTSession{},
+			"at+jwt",
+		},
+		{
+			"ShouldReturnConfiguredATJWTTyp",
+			&JWTSession{JWTHeader: &jwt.Headers{Extra: map[string]interface{}{
+				"typ": "at+jwt",
+			}}},
+			"at+jwt",
+		},
+		{
+			"ShouldReturnConfiguredJWTTyp",
+			&JWTSession{JWTHeader: &jwt.Headers{Extra: map[string]interface{}{
+				"typ": "JWT",
+			}}},
+			"JWT",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			header := tc.have.GetJWTHeader()
+
+			assert.Equal(t, tc.expected, header.Get("typ"))
+		})
+	}
+}

handler/oauth2/strategy_jwt_test.go

@@ -194,6 +194,16 @@ func TestAccessToken(t *testing.T) {
 				require.Len(t, parts, 3, "%s - %v", token, parts)
 				assert.Equal(t, parts[2], signature)
 
+				rawHeader, err := base64.RawURLEncoding.DecodeString(parts[0])
+				require.NoError(t, err)
+
+				var header map[string]interface{}
+				require.NoError(t, json.Unmarshal(rawHeader, &header))
+
+				typ, ok := header["typ"]
+				assert.True(t, ok)
+				assert.Equal(t, "at+jwt", typ)
+
 				rawPayload, err := base64.RawURLEncoding.DecodeString(parts[1])
 				require.NoError(t, err)
 				var payload map[string]interface{}