rodauth-oauth 1.3.2 → 1.5.0

data/lib/rodauth/features/oauth_dpop.rb

@@ -0,0 +1,410 @@
+# frozen_string_literal: true
+
+require "rodauth/oauth"
+require "logger"
+
+module Rodauth
+  Feature.define(:oauth_dpop, :OauthDpop) do
+    depends :oauth_jwt, :oauth_authorize_base
+
+    auth_value_method :oauth_invalid_token_error_response_status, 401
+    auth_value_method :oauth_multiple_auth_methods_response_status, 401
+    auth_value_method :oauth_access_token_dpop_bound_response_status, 401
+
+    translatable_method :oauth_invalid_dpop_proof_message, "Invalid DPoP proof"
+    translatable_method :oauth_multiple_auth_methods_message, "Multiple methods used to include access token"
+    auth_value_method :oauth_multiple_dpop_proofs_error_code, "invalid_request"
+    translatable_method :oauth_multiple_dpop_proofs_message, "Multiple DPoP proofs used"
+    auth_value_method :oauth_invalid_dpop_jkt_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_jkt_message, "Invalid DPoP JKT"
+    auth_value_method :oauth_invalid_dpop_jti_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_jti_message, "Invalid DPoP jti"
+    auth_value_method :oauth_invalid_dpop_htm_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_htm_message, "Invalid DPoP htm"
+    auth_value_method :oauth_invalid_dpop_htu_error_code, "invalid_dpop_proof"
+    translatable_method :oauth_invalid_dpop_htu_message, "Invalid DPoP htu"
+    translatable_method :oauth_access_token_dpop_bound_message, "DPoP bound access token requires DPoP proof"
+
+    translatable_method :oauth_use_dpop_nonce_message, "DPoP nonce is required"
+
+    auth_value_method :oauth_dpop_proof_expires_in, 60 * 5 # 5 minutes
+    auth_value_method :oauth_dpop_bound_access_tokens, false
+    auth_value_method :oauth_dpop_use_nonce, false
+    auth_value_method :oauth_dpop_nonce_expires_in, 5 # 5 seconds
+    auth_value_method :oauth_dpop_signing_alg_values_supported,
+                      %w[
+                        RS256
+                        RS384
+                        RS512
+                        PS256
+                        PS384
+                        PS512
+                        ES256
+                        ES384
+                        ES512
+                        ES256K
+                      ]
+
+    auth_value_method :oauth_applications_dpop_bound_access_tokens_column, :dpop_bound_access_tokens
+    auth_value_method :oauth_grants_dpop_jkt_column, :dpop_jkt
+    auth_value_method :oauth_pushed_authorization_requests_dpop_jkt_column, :dpop_jkt
+
+    auth_value_method :oauth_dpop_proofs_table, :oauth_dpop_proofs
+    auth_value_method :oauth_dpop_proofs_jti_column, :jti
+    auth_value_method :oauth_dpop_proofs_first_use_column, :first_use
+
+    auth_methods(:validate_dpop_proof_usage)
+
+    def require_oauth_authorization(*scopes)
+      @dpop_access_token = fetch_access_token_from_authorization_header("dpop")
+
+      unless @dpop_access_token
+        authorization_required if oauth_dpop_bound_access_tokens
+
+        # Specifically, such a protected resource MUST reject a DPoP-bound access token received as a bearer token
+        redirect_response_error("access_token_dpop_bound") if authorization_token && authorization_token.dig("cnf", "jkt")
+
+        return super
+      end
+
+      dpop = fetch_dpop_token
+
+      dpop_claims = validate_dpop_token(dpop)
+
+      # 4.3.12
+      validate_ath(dpop_claims, @dpop_access_token)
+
+      @authorization_token = decode_access_token(@dpop_access_token)
+
+      # 4.3.12 - confirm that the public key to which the access token is bound matches the public key from the DPoP proof.
+      jkt = authorization_token.dig("cnf", "jkt")
+
+      redirect_response_error("invalid_dpop_jkt") if oauth_dpop_bound_access_tokens && !jkt
+
+      redirect_response_error("invalid_dpop_jkt") unless jkt == @dpop_thumbprint
+
+      super
+    end
+
+    private
+
+    def validate_token_params
+      dpop = fetch_dpop_token
+
+      unless dpop
+        authorization_required if dpop_bound_access_tokens_required?
+
+        return super
+      end
+
+      validate_dpop_token(dpop)
+
+      super
+    end
+
+    def validate_par_params
+      super
+
+      return unless (dpop = fetch_dpop_token)
+
+      validate_dpop_token(dpop)
+
+      if (dpop_jkt = param_or_nil("dpop_jkt"))
+        redirect_response_error("invalid_request") if dpop_jkt != @dpop_thumbprint
+      else
+        request.params["dpop_jkt"] = @dpop_thumbprint
+      end
+    end
+
+    def validate_dpop_token(dpop)
+      # 4.3.2
+      @dpop_claims = dpop_decode(dpop)
+      redirect_response_error("invalid_dpop_proof") unless @dpop_claims
+
+      validate_dpop_jwt_claims(@dpop_claims)
+
+      # 4.3.10
+      validate_nonce(@dpop_claims)
+
+      # 11.1
+      # To prevent multiple uses of the same DPoP proof, servers can store, in the
+      # context of the target URI, the jti value of each DPoP proof for the time window
+      # in which the respective DPoP proof JWT would be accepted.
+      validate_dpop_proof_usage(@dpop_claims)
+
+      @dpop_claims
+    end
+
+    def validate_dpop_proof_usage(claims)
+      jti = claims["jti"]
+
+      dpop_proof = __insert_or_do_nothing_and_return__(
+        db[oauth_dpop_proofs_table],
+        oauth_dpop_proofs_jti_column,
+        [oauth_dpop_proofs_jti_column],
+        oauth_dpop_proofs_jti_column => Digest::SHA256.hexdigest(jti),
+        oauth_dpop_proofs_first_use_column => Sequel::CURRENT_TIMESTAMP
+      )
+
+      return unless (Time.now - dpop_proof[oauth_dpop_proofs_first_use_column]) > oauth_dpop_proof_expires_in
+
+      redirect_response_error("invalid_dpop_proof")
+    end
+
+    def dpop_decode(dpop)
+      # decode first without verifying!
+      _, headers = jwt_decode_no_key(dpop)
+
+      redirect_response_error("invalid_dpop_proof") unless verify_dpop_jwt_headers(headers)
+
+      dpop_jwk = headers["jwk"]
+
+      jwt_decode(
+        dpop,
+        jws_key: jwk_key(dpop_jwk),
+        jws_algorithm: headers["alg"],
+        verify_iss: false,
+        verify_aud: false,
+        verify_jti: false
+      )
+    end
+
+    def verify_dpop_jwt_headers(headers)
+      # 4.3.4 - A field with the value dpop+jwt
+      return false unless headers["typ"] == "dpop+jwt"
+
+      # 4.3.5 - It MUST NOT be none or an identifier for a symmetric algorithm
+      alg = headers["alg"]
+      return false unless alg && oauth_dpop_signing_alg_values_supported.include?(alg)
+
+      dpop_jwk = headers["jwk"]
+
+      return false unless dpop_jwk
+
+      # 4.3.7 - It MUST NOT contain a private key.
+      return false if private_jwk?(dpop_jwk)
+
+      # store thumbprint for future assertions
+      @dpop_thumbprint = jwk_thumbprint(dpop_jwk)
+
+      true
+    end
+
+    def validate_dpop_jwt_claims(claims)
+      jti = claims["jti"]
+
+      unless jti && jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{claims['iat']}")
+        redirect_response_error("invalid_dpop_jti")
+      end
+
+      htm = claims["htm"]
+
+      # 4.3.8 - Check if htm matches the request method
+      redirect_response_error("invalid_dpop_htm") unless htm && htm == request.request_method
+
+      htu = claims["htu"]
+
+      # 4.3.9 - Check if htu matches the request URL
+      redirect_response_error("invalid_dpop_htu") unless htu && htu == request.url
+    end
+
+    def validate_ath(claims, access_token)
+      # When the DPoP proof is used in conjunction with the presentation of an access token in protected resource access
+      # the DPoP proof MUST also contain the following claim
+      ath = claims["ath"]
+
+      redirect_response_error("invalid_token") unless ath
+
+      # The value MUST be the result of a base64url encoding of the SHA-256 hash of the ASCII encoding of
+      # the associated access token's value.
+      redirect_response_error("invalid_token") unless ath == Base64.urlsafe_encode64(Digest::SHA256.digest(access_token), padding: false)
+    end
+
+    def validate_nonce(claims)
+      nonce = claims["nonce"]
+
+      unless nonce
+        dpop_nonce_required(claims) if dpop_use_nonce?
+
+        return
+      end
+
+      dpop_nonce_required(claims) unless valid_dpop_nonce?(nonce)
+    end
+
+    def jwt_claims(oauth_grant)
+      claims = super
+      if @dpop_thumbprint
+        # the authorization server associates the issued access token with the
+        # public key from the DPoP proof
+        claims[:cnf] = { jkt: @dpop_thumbprint }
+      end
+      claims
+    end
+
+    def generate_token(grant_params = {}, should_generate_refresh_token = true)
+      # When an authorization server supporting DPoP issues a refresh token to a public client
+      # that presents a valid DPoP proof at the token endpoint, the refresh token MUST be bound to the respective public key.
+      grant_params[oauth_grants_dpop_jkt_column] = @dpop_thumbprint if @dpop_thumbprint
+      super
+    end
+
+    def valid_oauth_grant_ds(grant_params = nil)
+      ds = super
+
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def oauth_grant_by_refresh_token_ds(_token, revoked: false)
+      ds = super
+      # The binding MUST be validated when the refresh token is later presented to get new access tokens.
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def oauth_grant_by_token_ds(_token)
+      ds = super
+      # The binding MUST be validated when the refresh token is later presented to get new access tokens.
+      ds = ds.where(oauth_grants_dpop_jkt_column => nil)
+      ds = ds.or(oauth_grants_dpop_jkt_column => @dpop_thumbprint) if @dpop_thumbprint
+      ds
+    end
+
+    def create_oauth_grant(create_params = {})
+      # 10. Authorization Code Binding to DPoP Key
+      # Binding the authorization code issued to the client's proof-of-possession key can enable end-to-end
+      # binding of the entire authorization flow.
+      if (dpop_jkt = param_or_nil("dpop_jkt"))
+        create_params[oauth_grants_dpop_jkt_column] = dpop_jkt
+      end
+
+      super
+    end
+
+    def json_access_token_payload(oauth_grant)
+      payload = super
+      # 5. A token_type of DPoP MUST be included in the access token response to
+      # signal to the client that the access token was bound to its DPoP key
+      payload["token_type"] = "DPoP" if @dpop_claims
+      payload
+    end
+
+    def fetch_dpop_token
+      dpop = request.env["HTTP_DPOP"]
+
+      return if dpop.nil? || dpop.empty?
+
+      # 4.3.1 - There is not more than one DPoP HTTP request header field.
+      redirect_response_error("multiple_dpop_proofs") if dpop.split(";").size > 1
+
+      dpop
+    end
+
+    def dpop_bound_access_tokens_required?
+      oauth_dpop_bound_access_tokens || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
+    end
+
+    def dpop_use_nonce?
+      oauth_dpop_use_nonce || (oauth_application && oauth_application[oauth_applications_dpop_bound_access_tokens_column])
+    end
+
+    def valid_dpop_proof_required(error_code = "invalid_dpop_proof")
+      if @dpop_access_token
+        # protected resource access
+        throw_json_response_error(401, error_code)
+      else
+        redirect_response_error(error_code)
+      end
+    end
+
+    def dpop_nonce_required(dpop_claims)
+      response["DPoP-Nonce"] = generate_dpop_nonce(dpop_claims)
+
+      if @dpop_access_token
+        # protected resource access
+        throw_json_response_error(401, "use_dpop_nonce")
+      else
+        redirect_response_error("use_dpop_nonce")
+      end
+    end
+
+    def www_authenticate_header(payload)
+      header = if dpop_bound_access_tokens_required?
+                 "DPoP"
+               else
+                 "#{super}, DPoP"
+               end
+
+      error_code = payload["error"]
+
+      unless error_code == "invalid_client"
+        header = "#{header} error=\"#{error_code}\""
+
+        if (desc = payload["error_description"])
+          header = "#{header} error_description=\"#{desc}\""
+        end
+      end
+
+      algs = oauth_dpop_signing_alg_values_supported.join(" ")
+
+      "#{header} algs=\"#{algs}\""
+    end
+
+    # Nonce
+
+    def generate_dpop_nonce(dpop_claims)
+      issued_at = Time.now.to_i
+
+      aud = "#{dpop_claims['htm']}:#{dpop_claims['htu']}"
+
+      nonce_claims = {
+        iss: oauth_jwt_issuer,
+        iat: issued_at,
+        exp: issued_at + oauth_dpop_nonce_expires_in,
+        aud: aud
+      }
+
+      jwt_encode(nonce_claims)
+    end
+
+    def valid_dpop_nonce?(nonce)
+      nonce_claims = jwt_decode(nonce, verify_aud: false, verify_jti: false)
+
+      return false unless nonce_claims
+
+      jti = nonce_claims["jti"]
+
+      return false unless jti
+
+      return false unless jti == Digest::SHA256.hexdigest("#{request.request_method}:#{request.url}:#{nonce_claims['iat']}")
+
+      return false unless nonce_claims.key?("aud")
+
+      htm, htu = nonce_claims["aud"].split(":", 2)
+
+      htm == request.request_method && htu == request.url
+    end
+
+    def json_token_introspect_payload(grant_or_claims)
+      claims = super
+
+      return claims unless grant_or_claims
+
+      if (jkt = grant_or_claims.dig("cnf", "jkt"))
+        (claims[:cnf] ||= {})[:jkt] = jkt
+        claims[:token_type] = "DPoP"
+      end
+
+      claims
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:dpop_signing_alg_values_supported] = oauth_dpop_signing_alg_values_supported
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -18,7 +18,7 @@ module Rodauth
       request.on(registration_client_uri_route) do
         # CLIENT REGISTRATION URI
         request.on(String) do |client_id|
-          (token = ((v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1]))
+          (token = (v = request.env["HTTP_AUTHORIZATION"]) && v[/\A *Bearer (.*)\Z/, 1])
 
           next unless token
 
@@ -200,6 +200,14 @@ module Rodauth
         when "client_name"
           register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(String)
           key = oauth_applications_name_column
+        when "dpop_bound_access_tokens"
+          unless respond_to?(:oauth_applications_dpop_bound_access_tokens_column)
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_param_message(key))
+          end
+          request_params[key] = value = convert_to_boolean(key, value)
+
+          key = oauth_applications_dpop_bound_access_tokens_column
         when "require_signed_request_object"
           unless respond_to?(:oauth_applications_require_signed_request_object_column)
             register_throw_json_response_error("invalid_client_metadata",
@@ -291,7 +299,8 @@ module Rodauth
         create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
           # If unspecified or omitted, the default is "client_secret_basic", denoting the HTTP Basic
           # authentication scheme as specified in Section 2.3.1 of OAuth 2.0.
-          return_params["token_endpoint_auth_method"] = "client_secret_basic"
+          return_params["token_endpoint_auth_method"] =
+            "client_secret_basic"
           "client_secret_basic"
         end
       end
@@ -379,6 +388,7 @@ module Rodauth
 
     def convert_to_boolean(key, value)
       case value
+      when true, false then value
       when "true" then true
       when "false" then false
       else

data/lib/rodauth/features/oauth_grant_management.rb

@@ -21,7 +21,7 @@ module Rodauth
     auth_value_method :oauth_grants_id_pattern, Integer
     auth_value_method :oauth_grants_per_page, 20
 
-    auth_value_methods(
+    auth_methods(
       :oauth_grant_path
     )
 

data/lib/rodauth/features/oauth_jwt.rb

@@ -9,7 +9,7 @@ module Rodauth
 
     auth_value_method :oauth_jwt_access_tokens, true
 
-    auth_value_methods(:jwt_claims)
+    auth_methods(:jwt_claims)
 
     def require_oauth_authorization(*scopes)
       return super unless oauth_jwt_access_tokens
@@ -50,23 +50,22 @@ module Rodauth
 
       return @authorization_token if defined?(@authorization_token)
 
-      @authorization_token = begin
-        access_token = fetch_access_token
+      @authorization_token = decode_access_token
+    end
 
-        return unless access_token
+    def decode_access_token(access_token = fetch_access_token)
+      return unless access_token
 
-        jwt_claims = jwt_decode(access_token)
+      jwt_claims = jwt_decode(access_token)
 
-        return unless jwt_claims
+      return unless jwt_claims
 
-        return unless jwt_claims["sub"]
+      return unless jwt_claims["sub"]
 
-        return unless jwt_claims["aud"]
+      return unless jwt_claims["aud"]
 
-        jwt_claims
-      end
+      jwt_claims
     end
-
     # /token
 
     def create_token_from_token(_grant, update_params)
@@ -99,7 +98,7 @@ module Rodauth
     end
 
     def _generate_access_token(*)
-      return super unless oauth_jwt_access_tokens
+      super unless oauth_jwt_access_tokens
     end
 
     def jwt_claims(oauth_grant)
@@ -117,7 +116,7 @@ module Rodauth
         # owner is involved, such as the client credentials grant, the value
         # of "sub" SHOULD correspond to an identifier the authorization
         # server uses to indicate the client application.
-        sub: jwt_subject(oauth_grant),
+        sub: jwt_subject(oauth_grant[oauth_grants_account_id_column]),
         client_id: oauth_application[oauth_applications_client_id_column],
 
         exp: issued_at + oauth_access_token_expires_in,

data/lib/rodauth/features/oauth_jwt_base.rb

@@ -18,7 +18,7 @@ module Rodauth
 
     auth_value_method :oauth_jwt_jwe_copyright, nil
 
-    auth_value_methods(
+    auth_methods(
       :jwt_encode,
       :jwt_decode,
       :jwt_decode_no_key,
@@ -63,12 +63,8 @@ module Rodauth
       end
     end
 
-    def jwt_subject(oauth_grant, client_application = oauth_application)
-      account_id = oauth_grant[oauth_grants_account_id_column]
-
-      return account_id.to_s if account_id
-
-      client_application[oauth_applications_client_id_column]
+    def jwt_subject(account_unique_id, client_application = oauth_application)
+      (account_unique_id || client_application[oauth_applications_client_id_column]).to_s
     end
 
     def resource_owner_params_from_jwt_claims(claims)
@@ -171,8 +167,13 @@ module Rodauth
         jwk.thumbprint
       end
 
+      def private_jwk?(jwk)
+        %w[d p q dp dq qi].any?(&jwk.method(:key?))
+      end
+
       def jwt_encode(payload,
                      jwks: nil,
+                     headers: {},
                      encryption_algorithm: oauth_jwt_jwe_keys.keys.dig(0, 0),
                      encryption_method: oauth_jwt_jwe_keys.keys.dig(0, 1),
                      jwe_key: oauth_jwt_jwe_keys[[encryption_algorithm,
@@ -186,8 +187,16 @@ module Rodauth
 
         jwk = JSON::JWK.new(key || "")
 
+        # update headers
+        headers.each_key do |k|
+          if jwt.respond_to?(:"#{k}=")
+            jwt.send(:"#{k}=", headers[k])
+            headers.delete(k)
+          end
+        end
+        jwt.header.merge(headers) unless headers.empty?
+
         jwt = jwt.sign(jwk, signing_algorithm)
-        jwt.kid = jwk.thumbprint
 
         return jwt.to_s unless encryption_algorithm && encryption_method
 
@@ -217,6 +226,7 @@ module Rodauth
         verify_jti: true,
         verify_iss: true,
         verify_aud: true,
+        verify_headers: nil,
         **
       )
         jws_key = jws_key.first if jws_key.is_a?(Array)
@@ -267,6 +277,8 @@ module Rodauth
           return
         end
 
+        return if verify_headers && !verify_headers.call(claims.header)
+
         claims
       rescue JSON::JWT::Exception
         nil
@@ -328,9 +340,13 @@ module Rodauth
         JWT::JWK::Thumbprint.new(jwk).generate
       end
 
+      def private_jwk?(jwk)
+        jwk_import(jwk).private?
+      end
+
       def jwt_encode(payload,
-                     signing_algorithm: oauth_jwt_keys.keys.first, **)
-        headers = {}
+                     signing_algorithm: oauth_jwt_keys.keys.first,
+                     headers: {}, **)
 
         key = oauth_jwt_keys[signing_algorithm] || _jwt_key
         key = key.first if key.is_a?(Array)
@@ -389,7 +405,8 @@ module Rodauth
         verify_claims: true,
         verify_jti: true,
         verify_iss: true,
-        verify_aud: true
+        verify_aud: true,
+        verify_headers: nil
       )
         jws_key = jws_key.first if jws_key.is_a?(Array)
 
@@ -416,32 +433,34 @@ module Rodauth
                                end
 
         # decode jwt
-        claims = if is_authorization_server?
-                   if jwks
-                     jwks = jwks[:keys] if jwks.is_a?(Hash)
-
-                     # JWKs may be set up without a KID, when there's a single one
-                     if jwks.size == 1 && !jwks[0][:kid]
-                       key = jwks[0]
-                       algo = key[:alg]
-                       key = JWT::JWK.import(key).keypair
-                       JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params).first
-                     else
-                       algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                       JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params).first
-                     end
-                   elsif jws_key
-                     JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params).first
-                   else
-                     JWT.decode(token, jws_key, false, **verify_claims_params).first
-                   end
-                 elsif (jwks = auth_server_jwks_set)
-                   algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
-                   JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params).first
-                 end
+        claims, headers = if is_authorization_server?
+                            if jwks
+                              jwks = jwks[:keys] if jwks.is_a?(Hash)
+
+                              # JWKs may be set up without a KID, when there's a single one
+                              if jwks.size == 1 && !jwks[0][:kid]
+                                key = jwks[0]
+                                algo = key[:alg]
+                                key = JWT::JWK.import(key).keypair
+                                JWT.decode(token, key, true, algorithms: [algo], **verify_claims_params)
+                              else
+                                algorithms = jws_algorithm ? [jws_algorithm] : jwks.select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                                JWT.decode(token, nil, true, algorithms: algorithms, jwks: { keys: jwks }, **verify_claims_params)
+                              end
+                            elsif jws_key
+                              JWT.decode(token, jws_key, true, algorithms: [jws_algorithm], **verify_claims_params)
+                            else
+                              JWT.decode(token, jws_key, false, **verify_claims_params)
+                            end
+                          elsif (jwks = auth_server_jwks_set)
+                            algorithms = jwks[:keys].select { |k| k[:use] == "sig" }.map { |k| k[:alg] }
+                            JWT.decode(token, nil, true, jwks: jwks, algorithms: algorithms, **verify_claims_params)
+                          end
 
         return if verify_claims && verify_aud && !verify_aud(claims["aud"], claims["client_id"])
 
+        return if verify_headers && !verify_headers.call(headers)
+
         claims
       rescue JWT::DecodeError, JWT::JWKError
         nil
@@ -499,6 +518,10 @@ module Rodauth
       def jwt_decode(_token, **)
         raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
       end
+
+      def private_jwk?(_jwk)
+        raise "#{__method__} is undefined, redefine it or require either \"jwt\" or \"json-jwt\""
+      end
       # :nocov:
     end
   end

data/lib/rodauth/features/oauth_jwt_bearer_grant.rb

@@ -8,7 +8,7 @@ module Rodauth
 
     auth_value_method :max_param_bytesize, nil if Rodauth::VERSION >= "2.26.0"
 
-    auth_value_methods(
+    auth_methods(
       :require_oauth_application_from_jwt_bearer_assertion_issuer,
       :require_oauth_application_from_jwt_bearer_assertion_subject,
       :account_from_jwt_bearer_assertion