Solved: Exclude generating id in GenerateJWT policy

yevhenkhalin · 07-30-2019 05:34 AM

Hi there

I'm using the following template to generate a jwt:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT name="JWT-Generate-RS256">
    <Algorithm>RS256</Algorithm>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <PrivateKey>
        <Value ref="..."/>
        <Id>...</Id>
    </PrivateKey>
    <Subject ref="..."/>
    <Issuer ref="..."/>
    <Audience ref="..."/>
    <ExpiresIn ref="..."/>
    <AdditionalClaims>
        <Claim name="email" ref="..."/>
    </AdditionalClaims>
    <OutputVariable>...</OutputVariable>
</GenerateJWT>

and getting the "jti" field generated, even if I don't use <Id> field at all.

I was wondering if it's generating by default? Or is there a way to exclude generating this field?

I'm getting a token validation error when I send it with "jti" field set.

Thank you in advance

dchiesa1

is there a way to exclude generating this field?

Today, No. We had intended to make that possible, but ... the original version of the GenerateJWT policy always embeds a jti claim. It would be reasonable to say "that's unnecessary and inappropriate; some implementations might not want a jti." and you would be right. But some customers are already depending on this "always provide a JTI" behavior of the GenerateJWT policy, in production systems. Therefore we could not change the behavior.

Currently with GenerateJWT, your options are: explicitly specify a jti, or you get one generated for you. If the inability to generate JWT without a jti claim is a real hardship, we can accept a feature request to provide a way to turn this off with a new (awkward) attribute on the Id element. But for now it is not possible. And of course I would not be able to make any promises about delivery timelines.

I'm getting a token validation error when I send it with "jti" field set.

That's unfortunate. What system is verifying the token? the jti claim is optional, according to the specification in RFC 7519. I would think a robust verifying application would tolerate the presence of jti, even if the application doesn't use the jti claim.

View solution in original post

dchiesa1

is there a way to exclude generating this field?

Today, No. We had intended to make that possible, but ... the original version of the GenerateJWT policy always embeds a jti claim. It would be reasonable to say "that's unnecessary and inappropriate; some implementations might not want a jti." and you would be right. But some customers are already depending on this "always provide a JTI" behavior of the GenerateJWT policy, in production systems. Therefore we could not change the behavior.

Currently with GenerateJWT, your options are: explicitly specify a jti, or you get one generated for you. If the inability to generate JWT without a jti claim is a real hardship, we can accept a feature request to provide a way to turn this off with a new (awkward) attribute on the Id element. But for now it is not possible. And of course I would not be able to make any promises about delivery timelines.

I'm getting a token validation error when I send it with "jti" field set.

That's unfortunate. What system is verifying the token? the jti claim is optional, according to the specification in RFC 7519. I would think a robust verifying application would tolerate the presence of jti, even if the application doesn't use the jti claim.