Enable header.typ assertion

[ewan-chalmers]

Describe the problem you'd like to have solved

I would like to be able to differentiate between access tokens and identity tokens, and specifically to fail JWT validation if the token is not an access token.

Describe the ideal solution

We can assert that a token is an access token but checking the typ header for the value at+jwt. See https://datatracker.ietf.org/doc/rfc9068/

I would like to have a typ option which I could set to the required value, with JWT verification failing if the expected type is not found in the header.

I cannot use express-jwt to do this 'manually' (as far as I can see) because the JWT.header is not available after the middleware completes, only JWT.payload is available.

Alternatives and current work-arounds

Do not share identity token to clients, so they cannot present id_token for authentication.

Additional context

Perhaps I should raise this on jsonwebtoken rather than express-jwt. I have raised it there now: auth0/node-jsonwebtoken#1004