lib/rodauth/features/oauth_jwt_base.rb in rodauth-oauth-1.3.2 vs lib/rodauth/features/oauth_jwt_base.rb in rodauth-oauth-1.4.0

@@ -16,11 +16,11 @@
     auth_value_method :oauth_jwt_jwe_keys, {}
     auth_value_method :oauth_jwt_jwe_public_keys, {}
 
     auth_value_method :oauth_jwt_jwe_copyright, nil
 
-    auth_value_methods(
+    auth_methods(
       :jwt_encode,
       :jwt_decode,
       :jwt_decode_no_key,
       :generate_jti,
       :oauth_jwt_issuer,
@@ -61,16 +61,12 @@
       else
         Array(grant_or_claims["aud"]).include?(oauth_application[oauth_applications_client_id_column])
       end
     end
 
-    def jwt_subject(oauth_grant, client_application = oauth_application)
-      account_id = oauth_grant[oauth_grants_account_id_column]
-
-      return account_id.to_s if account_id
-
-      client_application[oauth_applications_client_id_column]
+    def jwt_subject(account_unique_id, client_application = oauth_application)
+      (account_unique_id || client_application[oauth_applications_client_id_column]).to_s
     end
 
     def resource_owner_params_from_jwt_claims(claims)
       { oauth_grants_account_id_column => claims["sub"] }
     end
@@ -171,10 +167,11 @@
         jwk.thumbprint
       end
 
       def jwt_encode(payload,
                      jwks: nil,
+                     headers: {},
                      encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
                      encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
                      jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
                                                   encryption_method]],
                      signing_algorithm: oauth_jwt_keys.keys.first)
@@ -184,12 +181,20 @@
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
         key = key.first if key.is_a?(Array)
 
         jwk = JSON::JWK.new(key || "")
 
+        # update headers
+        headers.each_key do |k|
+          if jwt.respond_to?(:"#{k}=")
+            jwt.send(:"#{k}=", headers[k])
+            headers.delete(k)
+          end
+        end
+        jwt.header.merge(headers) unless headers.empty?
+
         jwt = jwt.sign(jwk, signing_algorithm)
-        jwt.kid = jwk.thumbprint
 
         return jwt.to_s unless encryption_algorithm && encryption_method
 
         if jwks && (jwk = jwks.find { |k| k[:use] == "enc" && k[:alg] == encryption_algorithm && k[:enc] == encryption_method })
           jwk = JSON::JWK.new(jwk)
@@ -327,11 +332,11 @@
         jwk = jwk_import(jwk) if jwk.is_a?(Hash)
         JWT::JWK::Thumbprint.new(jwk).generate
       end
 
       def jwt_encode(payload,
-                     signing_algorithm: oauth_jwt_keys.keys.first, **)
-        headers = {}
+                     signing_algorithm: oauth_jwt_keys.keys.first,
+                     headers: {}, **)
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
         key = key.first if key.is_a?(Array)
 
         case key