oauth_jwt.rb in rodauth-oauth-1.6.0

- old
+ new

@@ -7,11 +7,14 @@
   Feature.define(:oauth_jwt, :OauthJwt) do
     depends :oauth_jwt_base, :oauth_jwt_jwks
 
     auth_value_method :oauth_jwt_access_tokens, true
 
-    auth_methods(:jwt_claims)
+    auth_methods(
+      :jwt_claims,
+      :verify_access_token_headers
+    )
 
     def require_oauth_authorization(*scopes)
       return super unless oauth_jwt_access_tokens
 
       authorization_required unless authorization_token
@@ -51,14 +54,18 @@
       return @authorization_token if defined?(@authorization_token)
 
       @authorization_token = decode_access_token
     end
 
+    def verify_access_token_headers(headers)
+      headers["typ"] == "at+jwt"
+    end
+
     def decode_access_token(access_token = fetch_access_token)
       return unless access_token
 
-      jwt_claims = jwt_decode(access_token)
+      jwt_claims = jwt_decode(access_token, verify_headers: method(:verify_access_token_headers))
 
       return unless jwt_claims
 
       return unless jwt_claims["sub"]
 
@@ -92,10 +99,12 @@
 
       # one of the points of using jwt is avoiding database lookups, so we put here all relevant
       # token data.
       claims[:scope] = oauth_grant[oauth_grants_scopes_column]
 
-      jwt_encode(claims)
+      # RFC8725 section 3.11: Use Explicit Typing
+      # RFC9068 section 2.1 : The "typ" value used SHOULD be "at+jwt".
+      jwt_encode(claims, headers: { typ: "at+jwt" })
     end
 
     def _generate_access_token(*)
       super unless oauth_jwt_access_tokens
     end