Forum Discussion
Azure Ad Token missing 'jti' claim
I'm sending a token generated from an App registration in Azure to another application. The application has thrown an error
JWT ID (jti) claim missing
Any idea why Azure does not use the jti claim in it's tokens? or how to enable this claim?
TIA
There are 2 specifications at play here:
https://tools.ietf.org/html/rfc7521#section-5.1 https://tools.ietf.org/html/rfc7519#section-4.1.7
Assertion flow should have some “Assertion ID”
and JWT’s can optionally have a JWT ID. They don’t really appear to reference each other explicitly, but it makes sense to use them together.Assertion ID A nonce or unique identifier for the assertion. The Assertion ID may be used by implementations requiring message de-duplication for one-time use assertions. Any entity that assigns an identifier MUST ensure that there is negligible probability for that entity or any other entity to accidentally assign the same identifier to a different data object.4.1.7. "jti" (JWT ID) Claim The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case- sensitive string. Use of this claim is OPTIONAL.It appears MSFT have opted to call their Assertion ID claim nonce instead of jti
There are 2 specifications at play here:
https://tools.ietf.org/html/rfc7521#section-5.1 https://tools.ietf.org/html/rfc7519#section-4.1.7
Assertion flow should have some “Assertion ID”
and JWT’s can optionally have a JWT ID. They don’t really appear to reference each other explicitly, but it makes sense to use them together.Assertion ID A nonce or unique identifier for the assertion. The Assertion ID may be used by implementations requiring message de-duplication for one-time use assertions. Any entity that assigns an identifier MUST ensure that there is negligible probability for that entity or any other entity to accidentally assign the same identifier to a different data object.4.1.7. "jti" (JWT ID) Claim The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The "jti" claim can be used to prevent the JWT from being replayed. The "jti" value is a case- sensitive string. Use of this claim is OPTIONAL.It appears MSFT have opted to call their Assertion ID claim nonce instead of jti
