Hi there
I'm using the following template to generate a jwt:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <GenerateJWT name="JWT-Generate-RS256"> <Algorithm>RS256</Algorithm> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <PrivateKey> <Value ref="..."/> <Id>...</Id> </PrivateKey> <Subject ref="..."/> <Issuer ref="..."/> <Audience ref="..."/> <ExpiresIn ref="..."/> <AdditionalClaims> <Claim name="email" ref="..."/> </AdditionalClaims> <OutputVariable>...</OutputVariable> </GenerateJWT>
and getting the "jti" field generated, even if I don't use <Id> field at all.
I was wondering if it's generating by default? Or is there a way to exclude generating this field?
I'm getting a token validation error when I send it with "jti" field set.
Thank you in advance
Solved! Go to Solution.
is there a way to exclude generating this field?
Today, No. We had intended to make that possible, but ... the original version of the GenerateJWT policy always embeds a jti claim. It would be reasonable to say "that's unnecessary and inappropriate; some implementations might not want a jti." and you would be right. But some customers are already depending on this "always provide a JTI" behavior of the GenerateJWT policy, in production systems. Therefore we could not change the behavior.
Currently with GenerateJWT, your options are: explicitly specify a jti, or you get one generated for you. If the inability to generate JWT without a jti claim is a real hardship, we can accept a feature request to provide a way to turn this off with a new (awkward) attribute on the Id element. But for now it is not possible. And of course I would not be able to make any promises about delivery timelines.
I'm getting a token validation error when I send it with "jti" field set.
That's unfortunate. What system is verifying the token? the jti claim is optional, according to the specification in RFC 7519. I would think a robust verifying application would tolerate the presence of jti, even if the application doesn't use the jti claim.
is there a way to exclude generating this field?
Today, No. We had intended to make that possible, but ... the original version of the GenerateJWT policy always embeds a jti claim. It would be reasonable to say "that's unnecessary and inappropriate; some implementations might not want a jti." and you would be right. But some customers are already depending on this "always provide a JTI" behavior of the GenerateJWT policy, in production systems. Therefore we could not change the behavior.
Currently with GenerateJWT, your options are: explicitly specify a jti, or you get one generated for you. If the inability to generate JWT without a jti claim is a real hardship, we can accept a feature request to provide a way to turn this off with a new (awkward) attribute on the Id element. But for now it is not possible. And of course I would not be able to make any promises about delivery timelines.
I'm getting a token validation error when I send it with "jti" field set.
That's unfortunate. What system is verifying the token? the jti claim is optional, according to the specification in RFC 7519. I would think a robust verifying application would tolerate the presence of jti, even if the application doesn't use the jti claim.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |