fix: enforcement

handler/oauth2/strategy_jwt_profile.go

@@ -44,12 +44,12 @@ func (s *JWTProfileCoreStrategy) GenerateAccessToken(ctx context.Context, reques
 		ok     bool
 	)
 
-	if s.Config.GetEnforceJWTProfileAccessTokens(ctx) {
-		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, nil)
-	}
+	enforce := s.Config.GetEnforceJWTProfileAccessTokens(ctx)
 
-	if client, ok = requester.GetClient().(oauth2.JWTProfileClient); ok && client.GetEnableJWTProfileOAuthAccessTokens() {
+	if client, ok = requester.GetClient().(oauth2.JWTProfileClient); ok && (enforce || client.GetEnableJWTProfileOAuthAccessTokens()) {
 		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, client)
+	} else if enforce {
+		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, nil)
 	}
 
 	return s.HMACCoreStrategy.GenerateAccessToken(ctx, requester)

token/jwt/jwt_strategy.go

@@ -75,7 +75,7 @@ func (j *DefaultStrategy) Encode(ctx context.Context, claims Claims, opts ...Str
 
 	kid, alg, enc := o.client.GetEncryptionKeyID(), o.client.GetEncryptionAlg(), o.client.GetEncryptionEnc()
 
-	if len(kid) == 0 && len(alg) == 0 {
+	if len(kid)+len(alg) == 0 {
 		return EncodeCompactSigned(ctx, claims, o.headers, keySig)
 	}
 

token/jwt/jwt_strategy_opts.go

@@ -62,8 +62,7 @@ func WithClient(client Client) StrategyOpt {
 
 func WithIDTokenClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IDTokenClient:
+		if c, ok := client.(IDTokenClient); ok {
 			opts.client = &decoratedIDTokenClient{IDTokenClient: c}
 		}
 
@@ -73,8 +72,7 @@ func WithIDTokenClient(client any) StrategyOpt {
 
 func WithUserInfoClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case UserInfoClient:
+		if c, ok := client.(UserInfoClient); ok {
 			opts.client = &decoratedUserInfoClient{UserInfoClient: c}
 		}
 
@@ -84,8 +82,7 @@ func WithUserInfoClient(client any) StrategyOpt {
 
 func WithIntrospectionClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IntrospectionClient:
+		if c, ok := client.(IntrospectionClient); ok {
 			opts.client = &decoratedIntrospectionClient{IntrospectionClient: c}
 		}
 
@@ -95,8 +92,7 @@ func WithIntrospectionClient(client any) StrategyOpt {
 
 func WithJARMClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JARMClient:
+		if c, ok := client.(JARMClient); ok {
 			opts.client = &decoratedJARMClient{JARMClient: c}
 		}
 
@@ -106,8 +102,7 @@ func WithJARMClient(client any) StrategyOpt {
 
 func WithJARClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JARClient:
+		if c, ok := client.(JARClient); ok {
 			opts.client = &decoratedJARClient{JARClient: c}
 		}
 
@@ -117,8 +112,7 @@ func WithJARClient(client any) StrategyOpt {
 
 func WithJWTProfileAccessTokenClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JWTProfileAccessTokenClient:
+		if c, ok := client.(JWTProfileAccessTokenClient); ok {
 			opts.client = &decoratedJWTProfileAccessTokenClient{JWTProfileAccessTokenClient: c}
 		}
 
@@ -128,10 +122,9 @@ func WithJWTProfileAccessTokenClient(client any) StrategyOpt {
 
 func WithStatelessJWTProfileIntrospectionClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IntrospectionClient:
+		if c, ok := client.(IntrospectionClient); ok {
 			opts.client = &decoratedIntrospectionClient{IntrospectionClient: c}
-		case JWTProfileAccessTokenClient:
+		} else if c, ok := client.(JWTProfileAccessTokenClient); ok {
 			opts.client = &decoratedJWTProfileAccessTokenClient{JWTProfileAccessTokenClient: c}
 		}
 

token/jwt/util.go

@@ -328,7 +328,7 @@ func NewClientSecretJWK(ctx context.Context, secret []byte, kid, alg, enc, use s
 			bits = aes.BlockSize * 1.5
 		case jose.A256KW, jose.A256GCMKW, jose.PBES2_HS512_A256KW:
 			bits = aes.BlockSize * 2
-		case jose.DIRECT:
+		default:
 			switch jose.ContentEncryption(enc) {
 			case jose.A128CBC_HS256, "":
 				bits = aes.BlockSize * 2