From a1ed57c03524acc9bd8897a9ac67c62d9c235e0c Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Mon, 1 Feb 2021 22:35:54 +0100
Subject: [PATCH] Add typ header to access token jwt (#2419)

---
 .../lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm          | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
index a0fb4437d..d5539e2c6 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -798,7 +798,8 @@ sub maybeJWT {
           ->{oidcRPMetaDataOptionsAccessTokenSignAlg} || "RS256";
         $self->logger->debug("Access Token signature algorithm: $alg");
 
-        my $jwt = $self->createJWT( $access_token_payload, $alg, $rp );
+        my $jwt =
+          $self->createJWT( $access_token_payload, $alg, $rp, "at+JWT" );
 
         return $jwt;
     }
@@ -1632,13 +1633,14 @@ sub _forceType {
 # @param rp Internal Relying Party identifier
 # @return String jwt JWT
 sub createJWT {
-    my ( $self, $payload, $alg, $rp ) = @_;
+    my ( $self, $payload, $alg, $rp, $type ) = @_;
 
     # Payload encoding
     my $jwt_payload = encode_base64url( to_json($payload), "" );
 
     # JWT header
-    my $jwt_header_hash = { typ => "JWT", alg => $alg };
+    my $typ = $type || "JWT";
+    my $jwt_header_hash = { typ => $typ, alg => $alg };
     if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
         $jwt_header_hash->{kid} = $self->conf->{oidcServiceKeyIdSig}
           if $self->conf->{oidcServiceKeyIdSig};