Description

Some JWT providers (e.g. logto.io) only provie Access Token JWTs with a typ of at+jwt, but Elasticsearch currently only supports JWT types of JWT in the JWT Realm for authentication.

Attempting to connect with such Access Token JWTs in Elasticsearch results in:

Caused by java.lang.IllegalArgumentException: invalid jwt typ header; Caused by com.nimbusds.jose.proc.BadJOSEException: JOSE header typ (type) at+jwt not allowed

It may be that a custom JWT Decoder needs to be included in a SecurityFilterChain (or similar, depending upon how Elasticsearch implements such security), similar to the approach suggested for Spring applicaitons in https://github.com/logto-io/logto/blob/master/packages/console/src/assets/docs/guides/api-spring-boot/README.mdx