added JTI to ID tokens, closes #900

2015-10-01 17:24:10 -04:00 · 2015-10-01 17:24:10 -04:00 · 89a728669a
parent 4bb28052a1
commit 89a728669a
2 changed files with 3 additions and 0 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
@ -21,6 +21,7 @@ package org.mitre.oauth2.token;

 import java.text.ParseException;
 import java.util.Date;
+import java.util.UUID;

 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.oauth2.model.ClientDetailsEntity;
@ -122,6 +123,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 					}

 					claims.setIssueTime(new Date());
+					claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it


 					SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@ -123,6 +123,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		idClaims.setIssuer(configBean.getIssuer());
 		idClaims.setSubject(sub);
 		idClaims.setAudience(Lists.newArrayList(client.getClientId()));
+		idClaims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

 		String nonce = (String)request.getExtensions().get("nonce");
 		if (!Strings.isNullOrEmpty(nonce)) {