For now, the test is done with HS256 but server could check only the alg but not the rest. The idea would be to create a new token with the same alg but with a random secret.
Web Extension API is an HTTP API accepting HTTP requests with JWT. The API must take the request initially targeting the service with should received the token. With this request, the project should copy the request and scan with those informations.
When OpenAPI contains a OpenID Connect authorization, use this authentication method instead on JWT. Open a browser in order to let the user authorize himself.