-
Notifications
You must be signed in to change notification settings - Fork 426
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Including "jti" (JWT ID) Claim #175
Comments
I had a similar situation when I wanted to attach a user information to the claims. It was solved by creating new middleware which is copy of the crewjam/saml/samlsp/middleware.go with some modifications. |
As I see from middleware.go it used jwt.MapClaims
and you have id there. It is called not jti but I guess it can be used. |
Is that ID some sort of a request ID or is it really in-place of the |
Looking at it, I'm not super duper confident that it is okay to use the SAML request ID as the value of JTI but it seems to meet the qualifications. Perhaps just a different random value? As it stands the private id claim being random does seem to me to create the replay resistance that |
Closing because I think the refactoring of samlsp that just landed in #231 will allow you to conveniently customize the JWT. If that isn't the case, let me know. |
Is it possible to implement the use of jti here https://github.com/crewjam/saml/blob/master/samlsp/middleware.go
Thank you in advance, looking forward to hearing from you.
The text was updated successfully, but these errors were encountered: