The Duo SDK strips much of the JWT they get back from their own OIDC token endpoint, and present it as their own custom Model classes.
Currently, I map those model classes to another set of custom ones in the API module. This way allowing other implementations to be pluggable without requiring the Duo Lombok generated model.
It seems more sensible to map those to the Nimbus JWT interface and implementations, as Nimbus seems (so far) to be the OIDC library of choice for the IdP.
I have nearly finalized these changes in a local dev branch. If it works out, I think I will switch mainline over to this version. There are some implications, as Duo do not return the original JWS (signature component), and there is a stage doing signature validation, I need to recompute and add the signature back to the generated Nimbus JWT. The alternative would be to bypass signature checking e.g. with a PlainJWT (no sig) for the native Duo SDK, but check it for other implementations (or similar). But I feel we should enforce that a signature is present for any SDK, for fear of falling foul of algo:none type exploits.