Including "jti" (JWT ID) Claim

[asteriosgr]

Is it possible to implement the use of jti here https://github.com/crewjam/saml/blob/master/samlsp/middleware.go
Thank you in advance, looking forward to hearing from you.

[weivall]

I had a similar situation when I wanted to attach a user information to the claims. It was solved by creating new middleware which is copy of the crewjam/saml/samlsp/middleware.go with some modifications.

[weivall]

Is it possible to implement the use of jti here https://github.com/crewjam/saml/blob/master/samlsp/middleware.go
Thank you in advance, looking forward to hearing from you.

As I see from middleware.go it used jwt.MapClaims

claims := state.Claims.(jwt.MapClaims)
claims["id"] = req.ID
claims["uri"] = r.URL.String()

and you have id there. It is called not jti but I guess it can be used.

[praneetloke]

Is that ID some sort of a request ID or is it really in-place of the jti claim? The way the code is written, it looks like it may be the former?

[crewjam]

Looking at it, I'm not super duper confident that it is okay to use the SAML request ID as the value of JTI but it seems to meet the qualifications. Perhaps just a different random value?

As it stands the private id claim being random does seem to me to create the replay resistance that jti is designed to introduce, so maybe no big deal? 🤷‍♀

[crewjam]

Closing because I think the refactoring of samlsp that just landed in #231 will allow you to conveniently customize the JWT. If that isn't the case, let me know.