When verifying a bearer token, the OIDC HTTP mechanism expects the payload to contain a "typ" claim with value "bearer". Access tokens provided by the Keycloak OpenID provider contain this claim. However, access tokens provided by the Azure AD OpenID provider do not contain this claim.

For the Azure AD OpenID provider, it is possible to work around the issue by configuring Azure AD to include a custom claim called "typ" with value "Bearer".

To prevent the need to configure a custom claim, a system property (e.g., wildfly.elytron.oidc.disable.typ.claim.validation) could be introduced. The default value would be false. When using an OpenID provider that doesn't include the "typ" claim in the payload of the access token, the system property could be set to true to disable the "typ" claim validation.