We are currently configuring IBM Application Gateway to be used with OAuth introspection and JWT as the identity header to be sent to the resource server. As all attributes are stored as string in the credential, even claims that need numeric values can only be of type string. This has been discussed here: https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?GroupId=2863&MessageKey=168abd5e-e2d4-42ab-a12a-4886b173399d&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&ReturnUrl=%2fcommunity%2fuser%2fsecurity%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3de7c36119-46d7-42f2-97a9-b44f0cc89c6d
This is problematic as it violates the JWT standard. For instance this is the description of nbf:
4.1.5. "nbf" (Not Before) Claim
The "nbf" (not before) claim identifies the time before which the JWT
MUST NOT be accepted for processing. The processing of the "nbf"
claim requires that the current date/time MUST be after or equal to
the not-before date/time listed in the "nbf" claim. Implementers MAY
provide for some small leeway, usually no more than a few minutes, to
account for clock skew. Its value MUST be a number containing a
NumericDate value. Use of this claim is OPTIONAL.
The result is that JWTs generated by IAG can not be evaluated by the resource servers, as the claims are of wrong type.
Do not place IBM confidential, company confidential, or personal information into any field.