diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
index 79278222c..8ace2895c 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
@@ -21,6 +21,7 @@ package org.mitre.oauth2.token;
 
 import java.text.ParseException;
 import java.util.Date;
+import java.util.UUID;
 
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.oauth2.model.ClientDetailsEntity;
@@ -122,6 +123,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 					}
 
 					claims.setIssueTime(new Date());
+					claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 
 					SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
index f05481629..95083dacb 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@@ -123,6 +123,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		idClaims.setIssuer(configBean.getIssuer());
 		idClaims.setSubject(sub);
 		idClaims.setAudience(Lists.newArrayList(client.getClientId()));
+		idClaims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		String nonce = (String)request.getExtensions().get("nonce");
 		if (!Strings.isNullOrEmpty(nonce)) {