refactor: move assertJwtClaimsAndHeader after regular JWT claims set …

…validation

lib/actions/authorization/process_request_object.js

@@ -157,19 +157,19 @@ export default async function processRequestObject(PARAM_LIST, rejectDupesMiddle
     ignoreAzp: true,
   };
 
+  try {
+    JWT.assertPayload(payload, opts);
+  } catch (err) {
+    throw new InvalidRequestObject('Request Object claims are invalid', err.message);
+  }
+
   await conf.features.requestObjects.assertJwtClaimsAndHeader(
     ctx,
     structuredClone(decoded.payload),
     structuredClone(decoded.header),
     client,
   );
 
-  try {
-    JWT.assertPayload(payload, opts);
-  } catch (err) {
-    throw new InvalidRequestObject('Request Object claims are invalid', err.message);
-  }
-
   if (pushedRequestObject) {
     ({ trusted } = pushedRequestObject);
   } else {

test/fapi/fapi-id2.test.js

@@ -129,6 +129,7 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile (ID2
 
     it('requires exp to be provided in the Request Object', async function () {
       const request = await new SignJWT({
+        aud: this.provider.issuer,
         client_id: 'client',
         scope: 'openid',
         iss: 'client',