Hi,

It looks like even the latest code at https://github.com/resteasy/Resteasy/blob/master/security/jose-jwt/src/main/java/org/jboss/resteasy/jose/jws/ does not follow the RFC 7519 (JWT) specification correctly when it comes to signing. The RFC 7519 specification refers to the RFC 7515 specification (JWS) which states that the JWS Signing Input is "ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload))". But Resteasy only signs the raw JWS Payload. This can obviously lead to serious problems, when a signed JWT is transferred between two parties and one of them is using Resteasy while the other is using a RFC 7519 compliant implementation.

Fixing this issue should be fairly simple, in fact one could refer to the keycloak implementation where the issue has already been fixed: https://github.com/keycloak/keycloak/commit/0636cd898f064cf1b36e153ca1ad5c99cd6b6d91