From d3f8ff2855de017109a5137e60e48dd46ddc3869 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Thu, 1 Oct 2015 17:24:10 -0400
Subject: [PATCH] added JTI to ID tokens, closes #900

---
 .../java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java   | 2 ++
 .../openid/connect/service/impl/DefaultOIDCTokenService.java    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java
index cb7c74949..629b11d59 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java
@@ -21,6 +21,7 @@ package org.mitre.oauth2.token;
 
 import java.text.ParseException;
 import java.util.Date;
+import java.util.UUID;
 
 import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
 import org.mitre.oauth2.model.ClientDetailsEntity;
@@ -122,6 +123,7 @@ public class JWTAssertionTokenGranter extends AbstractTokenGranter {
 					}
 
 					claims.setIssueTime(new Date());
+					claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 
 					SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
index df26243f8..b9aae1acf 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
@@ -132,6 +132,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		idClaims.setIssuer(configBean.getIssuer());
 		idClaims.setSubject(sub);
 		idClaims.setAudience(Lists.newArrayList(client.getClientId()));
+		idClaims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 
 		String nonce = (String)request.getExtensions().get("nonce");
 		if (!Strings.isNullOrEmpty(nonce)) {