Bug Report: Discrepancy of JTI claim between code and spec #6639
Labels
Status: Pending
Waiting on the issue requester to give more details or share a reproducer
Type: Bug
Label issue as a bug defect
Brief Summary
The JTI claim is not required in the Oauth2 spec, nor the MP JWT Auth spec (https://github.com/eclipse/microprofile-jwt-auth/blob/main/spec/src/main/asciidoc/interoperability.asciidoc). The latter states it is "recommended". This is preventing JWT verification with Oauth2 IDPs like Microsoft Entra who does NOT send the JTI claim and instead uses a "nonce" claim. Is the desired behavior to require JTI claim, or is this a bug?
Edit
Sorry, thought GitHub would reference the line of code in question. Adding it here.
Payara/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java
Line 94 in 7680990
Expected Outcome
Code matches spec.
Current Outcome
JWT fails validation due to missing JTI claim.
Reproducer
Any JWT without JTI claim.
Operating System
NA
JDK Version
NA
Payara Distribution
Payara Micro
The text was updated successfully, but these errors were encountered: