We're currently using the Nimbus JOSE + JWT library (com.nimbusds:nimbus-jose-jwt) version 3.9, which is vulnerable to JWT algorithm confusion attacks.

We should upgrade to a new version; there might be some backwards-incompatible API changes.