From 6cb0ee52496547436ba70c1641f9157a767f7040 Mon Sep 17 00:00:00 2001
From: Max Tropets <maxtropets@microsoft.com>
Date: Mon, 10 Jun 2024 09:38:35 +0000
Subject: [PATCH] Updated CHANGELOG even further (more details)

---
 CHANGELOG.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81dd6fe0306a..aafd6180127b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,7 +19,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Changed
 
-- Added token.iss claim validation to JWT authentication, as well as saving issuer constraint to the KV on hey-autorefresh (#5809).
+- Added token.iss claim validation to JWT authentication (#5809). Must-knows:
+  - Supports both the [OpenID requirements](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) and the [Entra specification](https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens#validate-the-issuer) of it.
+  - All keys fetched after the upgrade will not work against tokens missing the 'iss' claim if the issuer has been specified in the .well-known/openid-configuration/.
+  - Because of the schema change, nodes that delay the upgrade once it starts happening on the system may keep stale keys (if key auto-refresh happens until all nodes are upgraded).
+  - [#6222](https://github.com/microsoft/CCF/issues/6222) will get rid of all tables completely in on of the following releases.
 
 ## [5.0.0-dev17]