Introducing a feature toggle for JTI in tokenAuth #1262

alvinangjh · 2024-06-04T05:55:49Z

alvinangjh
Jun 4, 2024

In oidc-provider/lib/shared/token_jwt_auth.js, the function getTokenJwtAuth checks for the presence of payload.jti, which is used for Replay Detection. However, RFC-7519 states that jti is optional. The same statement iss mentioned in several other auth documentation such as Okta.

Hence, I would like to know if there is any future plan for jti to be made optional?

panva · 2024-06-04T06:31:47Z

panva
Jun 4, 2024
Maintainer

Client authentication methods client_secret_jwt and private_key_jwt are defined in OpenID Connect Core 1.0, the jti claim is REQUIRED in these assertions.

Hence, I would like to know if there is any future plan for jti to be made optional?

There is not. OAuth profiles such as FAPI use the OIDC definition, with jti REQUIRED.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Introducing a feature toggle for JTI in tokenAuth #1262

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Introducing a feature toggle for JTI in tokenAuth #1262

alvinangjh Jun 4, 2024

Replies: 1 comment

panva Jun 4, 2024 Maintainer

alvinangjh
Jun 4, 2024

panva
Jun 4, 2024
Maintainer