apache · gnodet · Mar 11, 2026
diff --git a/.../jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java b/.../jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
@@ -43,6 +43,7 @@ public final class JoseConstants extends RSSecurityConstants {
     public static final String JWS_HEADER_B64_STATUS_HEADER = "b64";
 
     public static final String TYPE_JWT = "JWT";
+    public static final String TYPE_AT_JWT = "at+jwt";
     public static final String TYPE_JOSE = "JOSE";
     public static final String TYPE_JOSE_JSON = "JOSE+JSON";
     public static final String MEDIA_TYPE_JOSE = "application/jose";

diff --git a/...urity/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseType.java b/...urity/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseType.java
@@ -22,7 +22,8 @@
 public enum JoseType {
     JOSE(JoseConstants.TYPE_JOSE),
     JOSE_JSON(JoseConstants.TYPE_JOSE_JSON),
-    JWT(JoseConstants.TYPE_JWT);
+    JWT(JoseConstants.TYPE_JWT),
+    AT_JWT(JoseConstants.TYPE_AT_JWT);
 
     private final String type;
     JoseType(String type) {
@@ -33,6 +34,8 @@ public static JoseType getType(String type) {
             return null;
         } else if (JoseConstants.TYPE_JOSE_JSON.equals(type)) {
             return JOSE_JSON;
+        } else if (JoseConstants.TYPE_AT_JWT.equals(type)) {
+            return AT_JWT;
         } else {
             return valueOf(type);
         }

diff --git a/...2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/...2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -27,6 +27,7 @@
 import jakarta.ws.rs.core.MultivaluedMap;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
+import org.apache.cxf.rs.security.jose.common.JoseType;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
@@ -669,7 +670,11 @@ protected String processJwtAccessToken(JwtClaims jwtCliams) {
         // It will JWS-sign (default) and/or JWE-encrypt
         OAuthJoseJwtProducer processor =
             getJwtAccessTokenProducer() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenProducer();
-        return processor.processJwt(new JwtToken(jwtCliams));
+        JwtToken jwt = new JwtToken(jwtCliams);
+        // RFC 9068 Section 2.1: JWT access tokens MUST set typ to "at+jwt"
+        jwt.getJwsHeaders().setType(JoseType.AT_JWT);
+        jwt.getJweHeaders().setType(JoseType.AT_JWT);
+        return processor.processJwt(jwt);
     }
 
     public Map<String, String> getJwtAccessTokenClaimMap() {