From 89a728669aad721cb99ccf739333f8a8ddc1b1ca Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Thu, 1 Oct 2015 17:24:10 -0400 Subject: [PATCH] added JTI to ID tokens, closes #900 --- .../java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java | 2 ++ .../openid/connect/service/impl/DefaultOIDCTokenService.java | 1 + 2 files changed, 3 insertions(+) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java index 79278222c..8ace2895c 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java @@ -21,6 +21,7 @@ package org.mitre.oauth2.token; import java.text.ParseException; import java.util.Date; +import java.util.UUID; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.oauth2.model.ClientDetailsEntity; @@ -122,6 +123,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { } claims.setIssueTime(new Date()); + claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java index f05481629..95083dacb 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java @@ -123,6 +123,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService { idClaims.setIssuer(configBean.getIssuer()); idClaims.setSubject(sub); idClaims.setAudience(Lists.newArrayList(client.getClientId())); + idClaims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it String nonce = (String)request.getExtensions().get("nonce"); if (!Strings.isNullOrEmpty(nonce)) {