Include 'typ' header to allow distinguishing JWT access tokens from id tokens

My provider issues JWT access tokens and OIDC id tokens. My application uses the access tokens for auth, it decodes and verifies them, without calling userinfo or instrospection. The problem is that both kinds of tokens are very similar (depending on the client my access token may have profile information too) and signed by the same key, so my application cannot reliably distinguish them and this leaves it open to clients using an id token for auth, which should not be permitted.

It seems that the recommended solution is to add a typ header to both JWTs. Access tokens use at+jwt. It seems there's no definition for id tokens, but some providers use id_token+jwt.

More info:
https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing
https://datatracker.ietf.org/doc/html/rfc9068#name-header
https://datatracker.ietf.org/doc/html/rfc9068#name-validating-jwt-access-token

Right now I'm overriding _generate_jwt_access_token to add the header to access tokens:

# Overriden to add the `typ` header so we can distinguish between
# access tokens and id tokens.
# SEE: https://gitlab.com/os85/rodauth-oauth/-/blob/master/lib/rodauth/features/oauth_jwt.rb?ref_type=heads#L90
def _generate_jwt_access_token(oauth_grant)
  claims = jwt_claims(oauth_grant)
  claims[:scope] = oauth_grant[oauth_grants_scopes_column]

  # This is what we're changing.
  jwt_encode(claims, headers: {typ: "at+jwt"})
end

I suggest we add a oauth_jwt_typ auth_value_method that if defined adds the typ header. We could also add a id_token_jwt_typ auth_value_method for the id tokens. If that's desirable let me know and I'll open a PR.