CHANGELOG.md in rodauth-oauth-0.0.5 vs CHANGELOG.md in rodauth-oauth-0.0.6

@@ -1,8 +1,31 @@
 # CHANGELOG
 
 ## master
 
+### 0.0.6
+
+#### Features
+
+The `oauth_jwt` feature now supports JWT Secured Authorization Request (JAR) (see https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20). This means that client applications can send the authorization parameters inside a signed JWT. The client applications keeps the private key, while the authorization server **must** store a public key for the client application. For encrypted JWTs, the client application should use one of the public encryption keys exposed in the JWKs URI, to encrypt the JWT. Remember, **tokens must be signed then encrypted** (or just signed).
+
+###### Options:
+
+* `:oauth_application_jws_jwk_column`: db column where the public key is stored; since it's stored in the JWS format, it can be stored either as a String (JSON-encoded), or as an hstore (if you're using postgresql);
+* `:oauth_jwt_jwe_key`: key used to decrypt the request JWT;
+* `:oauth_jwt_jwe_public_key`: key used to encrypt the request JWT, and which will be exposed in the JWKs URI in the JWK format;
+
+
+#### Improvements
+
+* Removing all `_param` options; these defined the URL params, however we're using protocol-defined params, so it's unlikely (and undesired) that these'll change.
+* Hitting the revoke endpoint with a JWT access token returns a 400 error;
+
+#### Chore
+
+Removed React Javascript from example applications.
+
+
 ### 0.0.5 (26/6/2020)
 
 #### Features
 
 * new option: `oauth_scope_separator` (default: `" "`), to define how scopes are stored;
\ No newline at end of file