Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug Report: Discrepancy of JTI claim between code and spec #6639

Open
tdevfeeds opened this issue Apr 11, 2024 · 1 comment
Open

Bug Report: Discrepancy of JTI claim between code and spec #6639

tdevfeeds opened this issue Apr 11, 2024 · 1 comment
Assignees
@shub8968
Labels
Status: Pending Waiting on the issue requester to give more details or share a reproducer Type: Bug Label issue as a bug defect

Comments

@tdevfeeds
Copy link

tdevfeeds commented Apr 11, 2024
edited

Brief Summary

The JTI claim is not required in the Oauth2 spec, nor the MP JWT Auth spec (https://github.com/eclipse/microprofile-jwt-auth/blob/main/spec/src/main/asciidoc/interoperability.asciidoc). The latter states it is "recommended". This is preventing JWT verification with Oauth2 IDPs like Microsoft Entra who does NOT send the JTI claim and instead uses a "nonce" claim. Is the desired behavior to require JTI claim, or is this a bug?

Edit
Sorry, thought GitHub would reference the line of code in question. Adding it here.

Payara/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java

Line 94 in 7680990

private final List<Claims> requiredClaims = asList(iss, sub, exp, iat, jti);

Expected Outcome

Code matches spec.

Current Outcome

JWT fails validation due to missing JTI claim.

Reproducer

Any JWT without JTI claim.

Operating System

NA

JDK Version

NA

Payara Distribution

Payara Micro
@tdevfeeds tdevfeeds added Status: Open Issue has been triaged by the front-line engineers and is being worked on verification Type: Bug Label issue as a bug defect labels Apr 11, 2024
@shub8968
Copy link
Contributor

shub8968 commented May 1, 2024

Duplicate of #5791

@shub8968 shub8968 marked this as a duplicate of #5791 May 1, 2024
@shub8968 shub8968 added Status: Pending Waiting on the issue requester to give more details or share a reproducer and removed Status: Open Issue has been triaged by the front-line engineers and is being worked on verification labels May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shub8968 shub8968

Labels
Status: Pending Waiting on the issue requester to give more details or share a reproducer Type: Bug Label issue as a bug defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shub8968 @tdevfeeds