Fix JwtSecurityToken Missing Mapping When Creating a Token.

src/System.IdentityModel.Tokens.Jwt/JwtSecurityTokenHandler.cs

@@ -35,6 +35,7 @@ public class JwtSecurityTokenHandler : SecurityTokenHandler
         private Dictionary<string, string> _outboundAlgorithmMap = null;
         private static string _shortClaimType = _namespace + "/ShortTypeName";
         private bool _mapInboundClaims = DefaultMapInboundClaims;
+        internal const string _enableRsaOaepMappingSwitch = "Switch.Microsoft.IdentityModel.EnableRsaOaepShortFormMapping";
 
         /// <summary>
         /// Default claim type mapping for inbound claims.
@@ -70,8 +71,16 @@ public class JwtSecurityTokenHandler : SecurityTokenHandler
             { SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.RsaSha256 },
             { SecurityAlgorithms.RsaSha384Signature, SecurityAlgorithms.RsaSha384 },
             { SecurityAlgorithms.RsaSha512Signature, SecurityAlgorithms.RsaSha512 },
+            { SecurityAlgorithms.RsaOaepKeyWrap, GetRsaOaepMapping() },
         };
 
+        private static string GetRsaOaepMapping()
+        {
+            bool useRsaOaepMapping = AppContext.TryGetSwitch(_enableRsaOaepMappingSwitch, out bool isEnabled) && isEnabled;
+
+            return useRsaOaepMapping ? SecurityAlgorithms.RsaOAEP : SecurityAlgorithms.RsaOaepKeyWrap;
+        }
+
         /// <summary>
         /// Static initializer for a new object. Static initializers run before the first instance of the type is created.
         /// </summary>

test/System.IdentityModel.Tokens.Jwt.Tests/JwtSecurityTokenHandlerTests.cs

@@ -55,6 +55,31 @@
                 Assert.NotNull(aTypeClaims.SingleOrDefault(c => c.Value == value));
         }
 
+        [Fact]
+        public void JwtSecurityTokenHandler_CreateToken_AddShortFormMappingForRsaOAEP()
+        {
+            AppContext.SetSwitch(JwtSecurityTokenHandler._enableRsaOaepMappingSwitch, true); //Set to false to test the default behavior and adjust the expected values accordingly.
+            var encryptingCredentials = new X509EncryptingCredentials(Default.Certificate);
+            SecurityTokenDescriptor tokenDescriptor = new SecurityTokenDescriptor
+            {
+                Issuer = Default.Issuer,
+                IssuedAt = DateTime.UtcNow.Subtract(new TimeSpan(1, 0, 0)),
+                Subject = new ClaimsIdentity(Default.PayloadJsonClaims),
+                NotBefore = DateTime.UtcNow.Subtract(new TimeSpan(1, 0, 0)),
+                Expires = DateTime.UtcNow.Subtract(new TimeSpan(0, 10, 0)),
+                SigningCredentials = Default.AsymmetricSigningCredentials,
+                EncryptingCredentials = encryptingCredentials,
+                TokenType = "JWE"
+            };
+
+            JwtSecurityTokenHandler tokenHandler = new JwtSecurityTokenHandler();
+            JwtSecurityToken token = tokenHandler.CreateJwtSecurityToken(tokenDescriptor);
+
+            Assert.NotNull(token);
+            Assert.NotEqual(token.Header.Alg, encryptingCredentials.Alg);
+            Assert.Equal(token.Header.Alg, SecurityAlgorithms.RsaOAEP);
+        }
+
         [Theory, MemberData(nameof(CreateJWEWithPayloadStringTheoryData))]
         public void CreateJWEWithAdditionalHeaderClaims(CreateTokenTheoryData theoryData)
         {