From 45cc8d3bf9e90cd6dde4fd1293fd197920d0d800 Mon Sep 17 00:00:00 2001
From: thumimku <thumilan.15@cse.mrt.ac.lk>
Date: Fri, 27 Mar 2026 11:26:08 +0530
Subject: [PATCH] improve at jwt signing with np_at refresh token

---
 .../wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java   | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
index de7b62efd5..3bd372f3e5 100644
--- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
+++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/JWTTokenIssuer.java
@@ -523,7 +523,11 @@ protected String signJWT(JWTClaimsSet jwtClaimsSet,
 
         if (JWSAlgorithm.RS256.equals(signatureAlgorithm) || JWSAlgorithm.RS384.equals(signatureAlgorithm) ||
                 JWSAlgorithm.RS512.equals(signatureAlgorithm) || JWSAlgorithm.PS256.equals(signatureAlgorithm)) {
-            return signJWTWithRSA(jwtClaimsSet, tokenContext, authorizationContext, isRefreshToken);
+            if (isRefreshToken) {
+                return signJWTWithRSA(jwtClaimsSet, tokenContext, authorizationContext, true);
+            }
+            // Call the 3-arg overload for non-refresh tokens (access tokens) to preserve subclass override behavior.
+            return signJWTWithRSA(jwtClaimsSet, tokenContext, authorizationContext);
         } else if (JWSAlgorithm.HS256.equals(signatureAlgorithm) || JWSAlgorithm.HS384.equals(signatureAlgorithm) ||
                 JWSAlgorithm.HS512.equals(signatureAlgorithm)) {
             return signJWTWithHMAC(jwtClaimsSet, tokenContext, authorizationContext);