Sha256: e437af56e2653c130e9415d0aa2b8d71022fe2085afc84d41ded2fbc77edc4d6
Contents?: true
Size: 1.19 KB
Versions: 3
Compression:
Stored size: 1.19 KB
Contents
# 1.6.0
## Improvements
### "at+jwt" and "id_token+jwt" ty header in JWT tokens
In order to distinguish/identify tokens, JWT access tokens generated by the `oauth_jwt` feature will contain the "at+jwt" value in the "typ" header (which follows the [recomendation in the RFC](https://datatracker.ietf.org/doc/html/rfc9068#section-2.1)), whereas ID tokens generated by the `oidc` feature will contain the "id_token+jwt" value in the "typ" header (there is no official recommendation, but some providers are using this).
**Note**: This header will also be used to validate access tokens. This means that, once you upgrade, **access tokens generated prior to the upgrade won't be usable anymore**. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the `oauth_access_token_expires_in` auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the `verify_access_token_headers` auth method:
```ruby
rodauth do
enable :oauth_jwt # or :oidc
oauth_access_token_expires_in 60 * 60
verify_access_token_headers { } # do nothing
end
Version data entries
3 entries across 3 versions & 1 rubygems
| Version | Path |
|---|---|
| rodauth-oauth-1.6.3 | doc/release_notes/1_6_0.md |
| rodauth-oauth-1.6.2 | doc/release_notes/1_6_0.md |
| rodauth-oauth-1.6.0 | doc/release_notes/1_6_0.md |