Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Azure Ad Token missing 'jti' claim

Copper Contributor

I'm sending a token generated from an App registration in Azure to another application. The application has thrown an error 

 

 

 

JWT ID (jti) claim missing

 

 

 

Any idea why Azure does not use the jti claim in it's tokens? or how to enable this claim?

TIA

1 Reply
best response confirmed by james1275 (Copper Contributor)
Solution

There are 2 specifications at play here:

https://tools.ietf.org/html/rfc7521#section-5.1 
https://tools.ietf.org/html/rfc7519#section-4.1.7


Assertion flow should have some “Assertion ID”
and JWT’s can optionally have a JWT ID. They don’t really appear to reference each other explicitly, but it makes sense to use them together.

 
 

 

Assertion ID
      A nonce or unique identifier for the assertion.  The Assertion ID
      may be used by implementations requiring message de-duplication
      for one-time use assertions.  Any entity that assigns an
      identifier MUST ensure that there is negligible probability for
      that entity or any other entity to accidentally assign the same
      identifier to a different data object.

 

 

 

4.1.7.  "jti" (JWT ID) Claim   The "jti" (JWT ID) claim provides a unique identifier for the JWT.
   The identifier value MUST be assigned in a manner that ensures that
   there is a negligible probability that the same value will be
   accidentally assigned to a different data object; if the application
   uses multiple issuers, collisions MUST be prevented among values
   produced by different issuers as well.  The "jti" claim can be used
   to prevent the JWT from being replayed.  The "jti" value is a case-
   sensitive string.  Use of this claim is OPTIONAL.

 

 

It appears MSFT have opted to call their Assertion ID claim nonce instead of jti

1 best response

Accepted Solutions
best response confirmed by james1275 (Copper Contributor)
Solution

There are 2 specifications at play here:

https://tools.ietf.org/html/rfc7521#section-5.1 
https://tools.ietf.org/html/rfc7519#section-4.1.7


Assertion flow should have some “Assertion ID”
and JWT’s can optionally have a JWT ID. They don’t really appear to reference each other explicitly, but it makes sense to use them together.

 
 

 

Assertion ID
      A nonce or unique identifier for the assertion.  The Assertion ID
      may be used by implementations requiring message de-duplication
      for one-time use assertions.  Any entity that assigns an
      identifier MUST ensure that there is negligible probability for
      that entity or any other entity to accidentally assign the same
      identifier to a different data object.

 

 

 

4.1.7.  "jti" (JWT ID) Claim   The "jti" (JWT ID) claim provides a unique identifier for the JWT.
   The identifier value MUST be assigned in a manner that ensures that
   there is a negligible probability that the same value will be
   accidentally assigned to a different data object; if the application
   uses multiple issuers, collisions MUST be prevented among values
   produced by different issuers as well.  The "jti" claim can be used
   to prevent the JWT from being replayed.  The "jti" value is a case-
   sensitive string.  Use of this claim is OPTIONAL.

 

 

It appears MSFT have opted to call their Assertion ID claim nonce instead of jti

View solution in original post