fix: rfc9068 must condition ignored in introspection

This fixes an outstanding TODO where the requirement for a correctly formed RFC9068 access token MUST have the media type of 'application/at+jwt', and that this media type MUST be appropriately reflected in the typ header as either 'at+jwt' (SHOULD), or as the media type itself. See https://datatracker.ietf.org/doc/html/rfc9068#section-2.1 for more information.

handler/oauth2/introspector_jwt.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/token/jwt"
+	"github.com/ory/x/errorsx"
 )
 
 type StatelessJWTValidator struct {
@@ -74,7 +75,9 @@ func (v *StatelessJWTValidator) IntrospectToken(ctx context.Context, token strin
 		return "", err
 	}
 
-	// TODO: From here we assume it is an access token, but how do we know it is really and that is not an ID token?
+	if !IsJWTProfileAccessToken(t) {
+		return "", errorsx.WithStack(fosite.ErrRequestUnauthorized.WithDebug("The provided token is not a valid RFC9068 JWT Profile Access Token as it is missing the header 'typ' value of 'at+jwt' "))
+	}
 
 	requester := AccessTokenJWTToRequest(t)
 
@@ -86,3 +89,22 @@ func (v *StatelessJWTValidator) IntrospectToken(ctx context.Context, token strin
 
 	return fosite.AccessToken, nil
 }
+
+// IsJWTProfileAccessToken validates a *jwt.Token is actually a RFC9068 JWT Profile Access Token by checking the
+// relevant header as per https://datatracker.ietf.org/doc/html/rfc9068#section-2.1 which explicitly states that
+// the header MUST include a typ of 'at+jwt' or 'application/at+jwt' with a preference of 'at+jwt'.
+func IsJWTProfileAccessToken(token *jwt.Token) bool {
+	var (
+		raw any
+		typ string
+		ok  bool
+	)
+
+	if raw, ok = token.Header[string(jwt.JWTHeaderType)]; !ok {
+		return false
+	}
+
+	typ, ok = raw.(string)
+
+	return ok && (typ == "at+jwt" || typ == "application/at+jwt")
+}