A rodauth-oauthprovider with the :oauth_jwt feature will generate JWT access tokens. This feature supports all the JOSE specs, and requires you to either:
JWT access tokens can be verified by clients with little intervention of the OAuth provider (only the public key is required to verify the JWT signature).
JWT tokens can’t be “revoked” (unless the public key used for verificationn is decomissioned), so make sure you keep expiration times low.
plugin :rodauth do
enable :oauth_jwt, :oauth_authorization_code_grant #, :oauth_jwt_jwks
oauth_jwt_keys { "RS256" => [OpenSSL::PKey.read(File.read('/path/to/private.pem'))] }
oauth_jwt_public_keys { "RS256" => [OpenSSL::PKey.read(File.read('/path/to/public.pem'))] }
end
You can append legacy public keys to the end of the array for the respective algo under oauth_jwt_public_keys:
oauth_jwt_public_keys("RS256" => [
OpenSSL::PKey.read(File.read('/path/to/current.pem')),
OpenSSL::PKey.read(File.read('/path/to/legacy.pem'))
])
While creating the “token” column in the grants table is not required, the “refresh token” is, as refresh tokens are not JWT.