In the JWT's jku lesson, the lesson html page configure submission linkage as /WebGoat/JWT/final/delete?token=... . However, it should correspond to the controller whose path is /WebGoat/JWT/jku/delete?token=... , that sits in org.owasp.webgoat.lessons.jwt.claimmisuse.JWTHeaderJKUEndpoint.
I am not familiar with the the html framework this project use, but after checking it, it seems that this problem is still existing in current branch.
BTW, I also notice that the docker image can't show the quiz and can't upload file to webwolf, but I have no idea why they take place. I am using the newest docker image of webgoat on Ubuntu 22.04.
Appreciate for this project and maintainers, it indeed helps me gain more knowledge about web security.