Azure Ad Token missing 'jti' claim

james1275 · ‎Mar 15 2021

I'm sending a token generated from an App registration in Azure to another application. The application has thrown an error

JWT ID (jti) claim missing

Any idea why Azure does not use the jti claim in it's tokens? or how to enable this claim?

TIA

james1275 · ‎Mar 19 2021

There are 2 specifications at play here:

https://tools.ietf.org/html/rfc7521#section-5.1 
https://tools.ietf.org/html/rfc7519#section-4.1.7

Assertion flow should have some “Assertion ID”
and JWT’s can optionally have a JWT ID. They don’t really appear to reference each other explicitly, but it makes sense to use them together.

Assertion ID
      A nonce or unique identifier for the assertion.  The Assertion ID
      may be used by implementations requiring message de-duplication
      for one-time use assertions.  Any entity that assigns an
      identifier MUST ensure that there is negligible probability for
      that entity or any other entity to accidentally assign the same
      identifier to a different data object.

4.1.7.  "jti" (JWT ID) Claim   The "jti" (JWT ID) claim provides a unique identifier for the JWT.
   The identifier value MUST be assigned in a manner that ensures that
   there is a negligible probability that the same value will be
   accidentally assigned to a different data object; if the application
   uses multiple issuers, collisions MUST be prevented among values
   produced by different issuers as well.  The "jti" claim can be used
   to prevent the JWT from being replayed.  The "jti" value is a case-
   sensitive string.  Use of this claim is OPTIONAL.

It appears MSFT have opted to call their Assertion ID claim nonce instead of jti

Products (65)

Special Topics (44)

Video Hub (444)

Most Active Hubs

Most Active Hubs

Video Hub

Azure Ad Token missing 'jti' claim

Azure Ad Token missing 'jti' claim

Re: Azure Ad Token missing 'jti' claim