rodauth-oauth 1.3.2 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf721a3632883e34bff44e33ca84c9a5aa2248748ccecf52c180edd25086abad
-  data.tar.gz: 59966edc773dbee470be46770532ee9159dfe370d346eca936a2ebc48a8fd224
+  metadata.gz: 87a675b4d44ba1003c451dc25b22c0b9fec5f346e2d03ef114d19f77ffd768da
+  data.tar.gz: 6921bd4b1bef1c88124bc323e293d9218959f94c985b9ed4c7e4b4452d474d55
 SHA512:
-  metadata.gz: 6855059fe2d8225e4f3650dca01ad4ff3d82ad4e42623b43e5ea1d42ef3dbec317bf9488a2b1598556c135f9b9bf1d45ac41512d7347e3c5c55b7c5e8bd63305
-  data.tar.gz: 9a564b8ad6812841f4a2737ee263af188e5231c49b8b475f0c575a5b0496aa6f534709552845caaaacbb73dbe1afabb9079a17265683be5df73f62075a78896e
+  metadata.gz: 4969a6eba906a0b180c325528c780c122b841ce7cc59c844d510a0dee8791de41cebb294f0f11d6bd23e09644732bf4b32b72e9b8ac918f0c53249fdcf4e6fd0
+  data.tar.gz: 4fae6adcc4b8ac567160182c52dc1c8d8f6fe34d0875f617b5284777fb64f0f5e7c4430ec9e769d78a8774e04d1c755bbabc4be6757d916b07fa5d14dc2b7eb4

data/README.md

@@ -18,8 +18,12 @@ This is an extension to the `rodauth` gem which implements the [OAuth 2.0 framew
 * Dynamic OP
 * Form Post OP
 * 3rd Party-Init OP
+* Session Management OP
+* RP-Initiated Logout OP
+* Front-Channel Logout OP
+* Back-Channel Logout OP
 
-(it also passes the conformance tests for the RP-Initiated Logout OP).
+The certifications were obtained using the [example OIDC server](/examples/oidc/authentication_server.rb) deployed [here](https://rodauth-oauth-oidc.onrender.com/).
 
 ## Features
 
@@ -43,7 +47,6 @@ This gem implements the following RFCs and features of OAuth:
   * `oauth_jwt_secured_authorization_response_mode` - [JWT Secured Authorization Response_mode](https://openid.net/specs/openid-financial-api-jarm.html);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
-* `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
   * `oauth_jwt_bearer_grant` - [JWT Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7523);
@@ -52,13 +55,17 @@ This gem implements the following RFCs and features of OAuth:
 * OAuth application and token management dashboards;
 *  The recommendations for [Native Apps](https://www.rfc-editor.org/rfc/rfc8252);
 
-It also implements the [OpenID Connect layer](https://openid.net/connect/) (via the `openid` feature) on top of the OAuth features it provides, including:
+It also implements several components of [OpenID Connect](https://openid.net/connect/) on top of the OAuth features it provides, including:
 
-* [OpenID Connect Core](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication);
-* [OpenID Connect Discovery](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
-* [OpenID Multiple Response Types](https://gitlab.com/os85/rodauth-oauth/-/wikis/Hybrid-flow);
-* [OpenID Connect Dynamic Client Registration](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
-* [RP Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout);
+* `oidc` - [OpenID Connect Core](https://gitlab.com/os85/rodauth-oauth/-/wikis/Id-Token-Authentication);
+  * `oidc_self_issued` - [Self-Issued OpenID Provider](https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued)
+  * [OpenID Multiple Response Types](https://gitlab.com/os85/rodauth-oauth/-/wikis/Hybrid-flow);
+  * [OpenID Connect Discovery](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* `oidc_dynamic_client_registration` - [OpenID Connect Dynamic Client Registration](https://gitlab.com/os85/rodauth-oauth/-/wikis/OIDC-Dynamic-Client-Registration);
+* `oidc_session_management` - [Session Management](https://gitlab.com/os85/rodauth-oauth/-/wikis/Session-Management);
+* `oidc_rp_initiated_logout` - [RP Initiated Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/RP-Initiated-Logout);
+* `oidc_frontchannel_logout` - [Frontchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Frontchannel-Logout);
+* `oidc_backchannel_logout` - [Backchannel Logout](https://gitlab.com/os85/rodauth-oauth/-/wikis/Backchannel-Logout);
 
 This gem supports also rails (through [rodauth-rails]((https://github.com/janko/rodauth-rails))).
 
@@ -83,8 +90,8 @@ Or install it yourself as:
 ## Resources
 |               |                                                             |
 | ------------- | ----------------------------------------------------------- |
-| Website       | https://os85.gitlab.io/rodauth-oauth/            |
-| Documentation | https://os85.gitlab.io/rodauth-oauth/rdoc/       |
+| Website       | https://honeyryderchuck.gitlab.io/rodauth-oauth/            |
+| Documentation | https://honeyryderchuck.gitlab.io/rodauth-oauth/rdoc/       |
 | Wiki          | https://gitlab.com/os85/rodauth-oauth/wikis/home |
 | CI            | https://gitlab.com/os85/rodauth-oauth/pipelines  |
 

data/doc/release_notes/1_4_0.md

@@ -0,0 +1,49 @@
+## 1.4.0 (08/11/2023)
+
+## Highlights
+
+rodauth-oauth is now [OpenID certified](https://openid.net/certification/) for the following logout profiles:
+
+* Session Management OP
+* RP-Initiated Logout OP
+* Front-Channel Logout OP
+* Back-Channel Logout OP
+
+The OIDC server used to run the test can be found [here](https://gitlab.com/os85/rodauth-oauth/-/blob/master/examples/oidc/authentication_server.rb) and deployed [here](https://rodauth-oauth-oidc.onrender.com).
+
+## Features
+
+### OIDC logout features
+
+`rodauth-oauth` ships with the following new features:
+
+* `oidc_sesssion_management` - enables [OIDC session management](https://openid.net/specs/openid-connect-session-1_0.html)
+* `oidc_frontchannel_logout` - enables [OIDC frontchannel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
+* `oidc_backchannel_logout` - enables [OIDC backchannel logout](https://openid.net/specs/openid-connect-backchannel-1_0.html)
+
+which, along with the existing `oidc_rp_initiated_logout`, implemment all OIDC logout profiles.
+
+## Breaking changes
+
+If you're using `oidc`, the dependency on `account_expiration` has been replaced by the `active_sessions` rodauth feature. This change is required because it fixes bugs associated with accounts expiring in order for id token invalidation to work.
+
+If you're migrating, it's recommended that you keep depending on `account_expiration` during the transition, add `active_sessions` tables as per [rodauth specs](https://github.com/jeremyevans/rodauth/blob/master/spec/migrate/001_tables.rb#L150), and run them alongside one another for the max period ID tokens should be valid, after which you can remove `account_expiration` and its tables.
+
+## Improvements
+
+### OAuth SAML Bearer Grant per oauth application settings
+
+The `oauth_saml_bearer_grant` feature requires a new table/resource, SAML settings, which enable "per client applicatioon" SAML settings, and therefore, make this feature usable in enterprise/multi-tenancy scenarios.
+
+## Bugfixes
+
+* remove `html_safe` usage in rails views to prevent XSS in the authorize form.
+* fixed for OIDC RFC 5.4 when requesting claims using scope values
+* `oauth_rp_initiated_logout` does not crash anymore on logout requests with `id_token_hint`
+* `oauth_rp_initiated_logout` now works with response types other than `code`
+* `oauth_rp_initiated_logout` emits an ID token hint invalid message when not able to decode the `id_token_hint`
+
+## Chore
+
+* Using `auth_methods` everywhere where `auth_value_methods` was used and didn't make sense.
+* `oauth_tls_client_auth` is not dependent on the `oauth_jwt` feature, and can therefore be used with non-JWT access tokens, at least with the features which do not require it.

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/authorize.html.erb

@@ -4,7 +4,7 @@
   <% end %>
   <% application_uri = rodauth.oauth_application[rodauth.oauth_applications_homepage_url_column] %>
   <% application_name = application_uri ? link_to(rodauth.oauth_application[rodauth.oauth_applications_name_column], application_uri) : rodauth.oauth_application[rodauth.oauth_applications_name_column] %>
-  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name).html_safe %></p>
+  <p class="lead"><%= rodauth.authorize_page_lead(name: application_name) %></p>
 
   <div class="list-group">
     <% if rodauth.oauth_application[rodauth.oauth_applications_tos_uri_column] %>
@@ -37,10 +37,10 @@
         </div>
       <% end %>
     <% end %>
-    <%= hidden_field_tag :client_id, rodauth.raw_param("client_id") %>
+    <%= hidden_field_tag :client_id, rodauth.param_or_nil("client_id") %>
     <% %w[access_type response_type response_mode state redirect_uri].each do |oauth_param| %>
-      <% if rodauth.raw_param(oauth_param) %>
-        <%= hidden_field_tag oauth_param, rodauth.raw_param(oauth_param) %>
+      <% if rodauth.param_or_nil(oauth_param) %>
+        <%= hidden_field_tag oauth_param, rodauth.param_or_nil(oauth_param) %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_resource_indicators) && rodauth.resource_indicators %>
@@ -49,39 +49,39 @@
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oauth_pkce) %>
-      <% if rodauth.raw_param("code_challenge") %>
-        <%= hidden_field_tag :code_challenge, rodauth.raw_param("code_challenge") %>
+      <% if rodauth.param_or_nil("code_challenge") %>
+        <%= hidden_field_tag :code_challenge, rodauth.param_or_nil("code_challenge") %>
       <% end %>
-      <% if rodauth.raw_param("code_challenge_method") %>
-        <%= hidden_field_tag :code_challenge_method, rodauth.raw_param("code_challenge_method") %>
+      <% if rodauth.param_or_nil("code_challenge_method") %>
+        <%= hidden_field_tag :code_challenge_method, rodauth.param_or_nil("code_challenge_method") %>
       <% end %>
     <% end %>
     <% if rodauth.features.include?(:oidc) %>
-      <% if rodauth.raw_param("prompt") %>
-        <%= hidden_field_tag :prompt, rodauth.raw_param("prompt") %>
+      <% if rodauth.param_or_nil("prompt") %>
+        <%= hidden_field_tag :prompt, rodauth.param_or_nil("prompt") %>
       <% end %>
-      <% if rodauth.raw_param("nonce") %>
-        <%= hidden_field_tag :nonce, rodauth.raw_param("nonce") %>
+      <% if rodauth.param_or_nil("nonce") %>
+        <%= hidden_field_tag :nonce, rodauth.param_or_nil("nonce") %>
       <% end %>
-      <% if rodauth.raw_param("ui_locales") %>
-        <%= hidden_field_tag :ui_locales, rodauth.raw_param("ui_locales") %>
+      <% if rodauth.param_or_nil("ui_locales") %>
+        <%= hidden_field_tag :ui_locales, rodauth.param_or_nil("ui_locales") %>
       <% end %>
-      <% if rodauth.raw_param("claims_locales") %>
-        <%= hidden_field_tag :claims_locales, rodauth.raw_param("claims_locales") %>
+      <% if rodauth.param_or_nil("claims_locales") %>
+        <%= hidden_field_tag :claims_locales, rodauth.param_or_nil("claims_locales") %>
       <% end %>
-      <% if rodauth.raw_param("claims") %>
-        <%= hidden_field_tag :claims, sanitize(rodauth.raw_param("claims")) %>
+      <% if rodauth.param_or_nil("claims") %>
+        <%= hidden_field_tag :claims, sanitize(rodauth.param_or_nil("claims")) %>
       <% end %>
-      <% if rodauth.raw_param("acr_values") %>
-        <%= hidden_field_tag :acr_values, rodauth.raw_param("acr_values") %>
+      <% if rodauth.param_or_nil("acr_values") %>
+        <%= hidden_field_tag :acr_values, rodauth.param_or_nil("acr_values") %>
       <% end %>
-      <% if rodauth.raw_param("registration") %>
-        <%= hidden_field_tag :registration, rodauth.raw_param("registration") %>
+      <% if rodauth.param_or_nil("registration") %>
+        <%= hidden_field_tag :registration, rodauth.param_or_nil("registration") %>
       <% end %>
     <% end %>
   </div>
  <p class="text-center">
     <%= submit_tag rodauth.oauth_authorize_button, class: "btn btn-outline-primary" %>
-    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.raw_param("state") }", class: "btn btn-outline-danger" %>
+    <%= link_to rodauth.oauth_cancel_button, "#{rodauth.redirect_uri}?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request#{"&state=\#{CGI.escape(rodauth.state)}" if rodauth.param_or_nil("state") }", class: "btn btn-outline-danger" %>
   </p>
 <% end %>

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/frontchannel_logout.html.erb

@@ -0,0 +1,10 @@
+<div class="mb-3">
+  <h1><%= rodauth.oauth_frontchannel_logout_redirecting_lead %></h1>
+  <p>
+    <%= rodauth.oauth_frontchannel_logout_redirecting_label(link: link_to(rodauth.oauth_frontchannel_logout_redirecting_link_label, rodauth.logout_redirect)) %>
+  </p>
+  <% rodauth.frontchannel_logout_urls.each do |logout_url| %>
+    <iframe src="<%= logout_url %>"></iframe>
+  <% end %>
+</div>
+<meta http-equiv="refresh" content="5; URL=<%= rodauth.logout_redirect %>" />

data/lib/generators/rodauth/oauth/templates/app/views/rodauth/oauth_applications.html.erb

@@ -26,5 +26,5 @@
       <% end %>
     </tbody>
   </table>
-  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds).html_safe %>
+  <%= rodauth.oauth_management_pagination_links(oauth_applications_ds) %>
 <% end %>

data/lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -59,6 +59,14 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
 
       # :oidc_rp_initiated_logout enabled
       t.string :post_logout_redirect_uris, null: false
+
+      # frontchannel logout
+      t.string :frontchannel_logout_uri
+      t.boolean :frontchannel_logout_session_required, default: false
+
+      # backchannel logout
+      t.string :backchannel_logout_uri
+      t.boolean :backchannel_logout_session_required, default: false
     end
 
     create_table :oauth_grants do |t|
@@ -107,5 +115,17 @@ class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
       t.datetime :expires_in, null: false
       t.index %i[oauth_application_id code], unique: true
     end
+
+    create_table :oauth_saml_settings do |t|
+      t.bigint :oauth_application_id
+      t.foreign_key :oauth_applications, column: :oauth_application_id
+      t.text :idp_cert, null: true
+      t.text :idp_cert_fingerprint, null: true
+      t.string :idp_cert_fingerprint_algorithm, null: true
+      t.boolean :check_idp_cert_expiration, null: true
+      t.text :name_identifier_format, null: true
+      t.string :audience, null: true
+      t.string :issuer, null: false, unique: true
+    end
   end
 end

data/lib/generators/rodauth/oauth/views_generator.rb

@@ -20,11 +20,11 @@ module Rodauth::OAuth
         }.freeze
 
         class_option :features, type: :array,
-                                desc: "Roda OAuth features to generate views for (oauth_applications etc.)",
+                                desc: "Rodauth OAuth features to generate views for (oauth_applications etc.)",
                                 default: DEFAULT
 
         class_option :all, aliases: "-a", type: :boolean,
-                           desc: "Generates views for all Roda OAuth features",
+                           desc: "Generates views for all Rodauth OAuth features",
                            default: false
 
         class_option :directory, aliases: "-d", type: :string,

data/lib/rodauth/features/oauth_application_management.rb

@@ -57,7 +57,7 @@ module Rodauth
     translatable_method :oauth_no_applications_text, "No oauth applications yet!"
     translatable_method :oauth_no_grants_text, "No oauth grants yet!"
 
-    auth_value_methods(
+    auth_methods(
       :oauth_application_path
     )
 

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -6,7 +6,7 @@ module Rodauth
   Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
     depends :oauth_base
 
-    auth_value_methods(
+    auth_methods(
       :assertion_grant_type?,
       :client_assertion_type?,
       :assertion_grant_type,

data/lib/rodauth/features/oauth_authorize_base.rb

@@ -28,7 +28,7 @@ module Rodauth
     translatable_method :oauth_unsupported_response_type_message, "Unsupported response type"
     translatable_method :oauth_authorize_parameter_required, "Invalid or missing '%<parameter>s'"
 
-    auth_value_methods(
+    auth_methods(
       :resource_owner_params,
       :oauth_grants_resource_owner_columns
     )

data/lib/rodauth/features/oauth_base.rb

@@ -109,13 +109,16 @@ module Rodauth
     auth_value_method :oauth_metadata_op_tos_uri, nil
 
     auth_value_methods(
+      :authorization_server_url,
+      :oauth_grants_unique_columns
+    )
+
+    auth_methods(
       :fetch_access_token,
       :secret_hash,
       :generate_token_hash,
       :secret_matches?,
-      :authorization_server_url,
       :oauth_unique_id_generator,
-      :oauth_grants_unique_columns,
       :require_authorizable_account,
       :oauth_account_ds,
       :oauth_application_ds
@@ -753,7 +756,7 @@ module Rodauth
       }
     end
 
-    def redirect_response_error(error_code, redirect_url = redirect_uri || request.referer || default_redirect)
+    def redirect_response_error(error_code, message = nil)
       if accepts_json?
         status_code = if respond_to?(:"oauth_#{error_code}_response_status")
                         send(:"oauth_#{error_code}_response_status")
@@ -761,37 +764,41 @@ module Rodauth
                         oauth_invalid_response_status
                       end
 
-        throw_json_response_error(status_code, error_code)
+        throw_json_response_error(status_code, error_code, message)
       else
+        redirect_url = redirect_uri || request.referer || default_redirect
         redirect_url = URI.parse(redirect_url)
-        params = []
-
-        params << if respond_to?(:"oauth_#{error_code}_error_code")
-                    ["error", send(:"oauth_#{error_code}_error_code")]
-                  else
-                    ["error", error_code]
-                  end
-
-        if respond_to?(:"oauth_#{error_code}_message")
-          message = send(:"oauth_#{error_code}_message")
-          params << ["error_description", CGI.escape(message)]
-        end
-
+        params = response_error_params(error_code, message)
         state = param_or_nil("state")
-
-        params << ["state", state] if state
-
+        params["state"] = state if state
         _redirect_response_error(redirect_url, params)
       end
     end
 
     def _redirect_response_error(redirect_url, params)
-      params = params.map { |k, v| "#{k}=#{v}" }
-      params << redirect_url.query if redirect_url.query
-      redirect_url.query = params.join("&")
+      params = URI.encode_www_form(params)
+      if redirect_url.query
+        params << "&" unless params.empty?
+        params << redirect_url.query
+      end
+      redirect_url.query = params
       redirect(redirect_url.to_s)
     end
 
+    def response_error_params(error_code, message = nil)
+      code = if respond_to?(:"oauth_#{error_code}_error_code")
+               send(:"oauth_#{error_code}_error_code")
+             else
+               error_code
+             end
+      payload = { "error" => code }
+      error_description = message
+      error_description ||= send(:"oauth_#{error_code}_message") if respond_to?(:"oauth_#{error_code}_message")
+      payload["error_description"] = error_description if error_description
+
+      payload
+    end
+
     def json_response_success(body, cache = false)
       response.status = 200
       response["Content-Type"] ||= json_response_content_type
@@ -809,13 +816,7 @@ module Rodauth
 
     def throw_json_response_error(status, error_code, message = nil)
       set_response_error_status(status)
-      code = if respond_to?(:"oauth_#{error_code}_error_code")
-               send(:"oauth_#{error_code}_error_code")
-             else
-               error_code
-             end
-      payload = { "error" => code }
-      payload["error_description"] = message || (send(:"oauth_#{error_code}_message") if respond_to?(:"oauth_#{error_code}_message"))
+      payload = response_error_params(error_code, message)
       json_payload = _json_response_body(payload)
       response["Content-Type"] ||= json_response_content_type
       response["WWW-Authenticate"] = oauth_token_type.upcase if status == 401

data/lib/rodauth/features/oauth_device_code_grant.rb

@@ -35,7 +35,7 @@ module Rodauth
     end
     translatable_method :oauth_grant_user_code_label, "User code"
 
-    auth_value_methods(
+    auth_methods(
       :generate_user_code
     )
 
@@ -173,7 +173,7 @@ module Rodauth
           oauth_grants_user_code_column => param("user_code")
         ).update(oauth_grants_user_code_column => nil, oauth_grants_type_column => "device_code")
 
-        return unless rs.positive?
+        rs if rs.positive?
       else
         super
       end

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -379,6 +379,7 @@ module Rodauth
 
     def convert_to_boolean(key, value)
       case value
+      when true, false then value
       when "true" then true
       when "false" then false
       else

data/lib/rodauth/features/oauth_grant_management.rb

@@ -21,7 +21,7 @@ module Rodauth
     auth_value_method :oauth_grants_id_pattern, Integer
     auth_value_method :oauth_grants_per_page, 20
 
-    auth_value_methods(
+    auth_methods(
       :oauth_grant_path
     )
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -9,7 +9,7 @@ module Rodauth
 
     auth_value_method :oauth_jwt_access_tokens, true
 
-    auth_value_methods(:jwt_claims)
+    auth_methods(:jwt_claims)
 
     def require_oauth_authorization(*scopes)
       return super unless oauth_jwt_access_tokens
@@ -99,7 +99,7 @@ module Rodauth
     end
 
     def _generate_access_token(*)
-      return super unless oauth_jwt_access_tokens
+      super unless oauth_jwt_access_tokens
     end
 
     def jwt_claims(oauth_grant)
@@ -117,7 +117,7 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
-        sub: jwt_subject(oauth_grant),
+        sub: jwt_subject(oauth_grant[oauth_grants_account_id_column]),
         client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_access_token_expires_in,

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -18,7 +18,7 @@ module Rodauth
 
     auth_value_method :oauth_jwt_jwe_copyright, nil
 
-    auth_value_methods(
+    auth_methods(
       :jwt_encode,
       :jwt_decode,
       :jwt_decode_no_key,
@@ -63,12 +63,8 @@ module Rodauth
       end
     end
 
-    def jwt_subject(oauth_grant, client_application = oauth_application)
-      account_id = oauth_grant[oauth_grants_account_id_column]
-
-      return account_id.to_s if account_id
-
-      client_application[oauth_applications_client_id_column]
+    def jwt_subject(account_unique_id, client_application = oauth_application)
+      (account_unique_id || client_application[oauth_applications_client_id_column]).to_s
     end
 
     def resource_owner_params_from_jwt_claims(claims)
@@ -173,6 +169,7 @@ module Rodauth
 
       def jwt_encode(payload,
                      jwks: nil,
+                     headers: {},
                      encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
                      encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
                      jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
@@ -186,8 +183,16 @@ module Rodauth
 
         jwk = JSON::JWK.new(key || "")
 
+        # update headers
+        headers.each_key do |k|
+          if jwt.respond_to?(:"#{k}=")
+            jwt.send(:"#{k}=", headers[k])
+            headers.delete(k)
+          end
+        end
+        jwt.header.merge(headers) unless headers.empty?
+
         jwt = jwt.sign(jwk, signing_algorithm)
-        jwt.kid = jwk.thumbprint
 
         return jwt.to_s unless encryption_algorithm && encryption_method
 
@@ -329,8 +334,8 @@ module Rodauth
       end
 
       def jwt_encode(payload,
-                     signing_algorithm: oauth_jwt_keys.keys.first, **)
-        headers = {}
+                     signing_algorithm: oauth_jwt_keys.keys.first,
+                     headers: {}, **)
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
         key = key.first if key.is_a?(Array)

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
 
-    auth_value_methods(
+    auth_methods(
       :require_oauth_application_from_jwt_bearer_assertion_issuer,
       :require_oauth_application_from_jwt_bearer_assertion_subject,
       :account_from_jwt_bearer_assertion

data/lib/rodauth/features/oauth_jwt_jwks.rb

@@ -7,7 +7,7 @@ module Rodauth
   Feature.define(:oauth_jwt_jwks, :OauthJwtJwks) do
     depends :oauth_jwt_base
 
-    auth_value_methods(:jwks_set)
+    auth_methods(:jwks_set)
 
     auth_server_route(:jwks) do |r|
       before_jwks_route

data/lib/rodauth/features/oauth_resource_server.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     auth_value_method :is_authorization_server?, false
 
-    auth_value_methods(
+    auth_methods(
       :before_introspection_request
     )