Merge remote-tracking branch 'origin/6.5.x'

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java

@@ -72,8 +72,10 @@ public final class JwtTypeValidator implements OAuth2TokenValidator<Jwt> {
 		if (this.allowEmpty && !StringUtils.hasText(typ)) {
 			return OAuth2TokenValidatorResult.success();
 		}
-		if (this.validTypes.contains(typ)) {
-			return OAuth2TokenValidatorResult.success();
+		for (String validType : this.validTypes) {
+			if (validType.equalsIgnoreCase(typ)) {
+				return OAuth2TokenValidatorResult.success();
+			}
 		}
 		return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
 				"the given typ value needs to be one of " + this.validTypes,

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java

@@ -44,4 +44,12 @@ class JwtTypeValidatorTests {
 		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
 	}
 
+	@Test
+	void validateWhenTypHeaderHasDifferentCaseThenSuccess() {
+		Jwt.Builder jwt = TestJwts.jwt();
+		JwtTypeValidator validator = new JwtTypeValidator("at+jwt");
+		jwt.header(JoseHeaderNames.TYP, "AT+JWT");
+		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
+	}
+
 }