Hey @rromanchuk, thanks for starting this contribution. Please let me know when you feel you have it tested and ready to review, and I will make sure it gets in.

@CodingAnarchy I'll push some more changes right now. I had to think about it some more. At first i was thinking a simple config switch to branch between the two, but it turns out it's actually way more useful if there is no additional config requirement. Reason being is you still basically have to implement both versions for rails development environment so a "just works" in any context is so much nicer.

I'll push up what i'm thinking, just so you can see what i mean.. I tested the ALB flow in isolation, just to make sure i was able to successfully decode/verify the claims, now i'm just coming back to this.

Basically, the token instance will introspect the decoded header using the signer key to figure out which endpoint is responsible for minting, and then just moved the jws method into the token class so it can pivot around the issuer, without injecting more complexity elsewhere

I think this is a good approach to take, and it looks like it will make it more extensible for other token patterns that AWS may have in the future.

Do you mind adding some tests for the ALB flow and cleaning up the code that was moved?

yeah, i'll polish this up and push up for review

Sorry for the delay, let me add a couple more tests and test it live behind my alb