In fact, OAuth 2 (and also OpenID Connect) does not specify how access tokens should look like and which format should be used.
That's why I expect the greatest possible flexibility from an implementer when it comes to validating access tokens.
IdentityServer implements any specs published by the OAuth Working Group or the OpenID Foundation.
There is an attempt by the OAuth Working Group to standardize the use of the JWT format for access tokens: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-02.
And that spec states that the typ header must be "at+jwt".
"at+jwt" is set by default in the new versions of the Identity Server.
Following requirement: The SSO settings give you the option of defining the type header via an input field.
Hi Ronny, Thank you for raising this Idea and apologies for the lack of response. We have a number of features in the SSO area on our immediate backlog and it is not clear to me at the moment if this will get resolved as part of that work or if we will need to address it seperately. I will stay in touch, Regards, Jane.