When I encrypt a JWT using JwtEncryptionHandler with a JwtClaimsSet and serialise it (JwtReconstructionHandler#build), then deserialise it using JwtReconstruction#reconstructJwt, the instance returned is a SignedThenEncryptedJwt, rather than an EncryptedJwt. This leads to an error when decrypting via JwtDecryptionHandler as the payload is treated as a nested JWT.
Details steps outlining how to recreate the issue (remove this text)
- Create an encrypted JWT using JwtEncryptionHandler#encryptJwt with a JwtClaimsSet
- Serialise to string using JwtEncryptionHandler#build
- Reconstruct the JWT with EncrytpedJwt jwt = JwtReconstruction#reconstructJwt(jwtString, EncryptedJwt.class);
None without changing the code.
JwtEncryptionHandler#encryptedJwt(JwtClaimsSet) calls addJwtContentType, which adds the "typ" property to the headers used by JEH for creating an encrypted JWT. This causes JwtReconstruction to treat it as a SignedThenEncryptedJwt.