1_6_0.md

doc/release_notes/1_6_0.md
Last Update: 2024-04-05 12:58:59 +0000

1.6.0

Improvements

“at+jwt” and “id_token+jwt” ty header in JWT tokens

In order to distinguish/identify tokens, JWT access tokens generated by the oauth_jwt feature will contain the “at+jwt” value in the “typ” header (which follows the recomendation in the RFC), whereas ID tokens generated by the oidc feature will contain the “id_token+jwt” value in the “typ” header (there is no official recommendation, but some providers are using this).

Note: This header will also be used to validate access tokens. This means that, once you upgrade, access tokens generated prior to the upgrade won’t be usable anymore. In order to mitigate this and smoothen the upgrade process, disable header verification for a period greater than the access token expiration time in your application (controlled by the oauth_access_token_expires_in auth value method, 60 minutes by default); this will allow older access tokens to expire. You can so by overriding the verify_access_token_headers auth method:

“‘ruby

rodauth do enable :oauth_jwt # or :oidc oauth_access_token_expires_in 60 * 60

verify_access_token_headers { } # do nothing end