From e06dd94bfaccac4cd2a68560d0293071d456fc8c Mon Sep 17 00:00:00 2001
From: namest504 <namest504@gmail.com>
Date: Fri, 24 Oct 2025 15:49:10 +0900
Subject: [PATCH] Fix sensitive case in JwtTypeValidator

Closes gh-18092

Signed-off-by: namest504 <namest504@gmail.com>
---
 .../security/oauth2/jwt/JwtTypeValidator.java             | 6 ++++--
 .../security/oauth2/jwt/JwtTypeValidatorTests.java        | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
index d3e12d37b2..e34bc098f9 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
@@ -72,8 +72,10 @@ public OAuth2TokenValidatorResult validate(Jwt token) {
 		if (this.allowEmpty && !StringUtils.hasText(typ)) {
 			return OAuth2TokenValidatorResult.success();
 		}
-		if (this.validTypes.contains(typ)) {
-			return OAuth2TokenValidatorResult.success();
+		for (String validType : this.validTypes) {
+			if (validType.equalsIgnoreCase(typ)) {
+				return OAuth2TokenValidatorResult.success();
+			}
 		}
 		return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
 				"the given typ value needs to be one of " + this.validTypes,
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
index 26df3ad9b0..7671adcf30 100644
--- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
+++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
@@ -44,4 +44,12 @@ void constructorWhenCustomThenEnforces() {
 		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
 	}
 
+	@Test
+	void validateWhenTypHeaderHasDifferentCaseThenSuccess() {
+		Jwt.Builder jwt = TestJwts.jwt();
+		JwtTypeValidator validator = new JwtTypeValidator("at+jwt");
+		jwt.header(JoseHeaderNames.TYP, "AT+JWT");
+		assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
+	}
+
 }