Client assertion token does not have a jti claim, making it reusable

[clementdenis]

Describe the bug?

The ClientAssertionClaims struct in client.mustache has an ID field (jti claim)

okta-sdk-golang/.generator/templates/client.mustache

Lines 1206 to 1213 in 097ef41

	type ClientAssertionClaims struct {
	Issuer string `json:"iss,omitempty"`
	Subject string `json:"sub,omitempty"`
	Audience string `json:"aud,omitempty"`
	Expiry *jwt.NumericDate `json:"exp,omitempty"`
	IssuedAt *jwt.NumericDate `json:"iat,omitempty"`
	ID string `json:"jti,omitempty"`
	}

but this is not used in createClientAssertion

okta-sdk-golang/.generator/templates/client.mustache

Lines 349 to 359 in 097ef41

	func createClientAssertion(orgURL, clientID string, privateKeySinger jose.Signer) (clientAssertion string, err error) {
	claims := ClientAssertionClaims{
	Subject: clientID,
	IssuedAt: jwt.NewNumericDate(time.Now()),
	Expiry: jwt.NewNumericDate(time.Now().Add(time.Hour * time.Duration(1))),
	Issuer: clientID,
	Audience: orgURL + "/oauth2/v1/token",
	}
	jwtBuilder := jwt.Signed(privateKeySinger).Claims(claims)
	return jwtBuilder.CompactSerialize()
	}

What is expected to happen?

The client assertion token should have a jti claim to prevent reuse.

What is the actual behavior?

The client assertion token can be used multiple times.

Reproduction Steps?

N/A

Additional Information?

The other SDKs add a jti claim:

• Python
• Java

Golang Version

Any

SDK Version

Latest

OS version

No response

[duytiennguyen-okta]

https://oktainc.atlassian.net/browse/OKTA-733548

[github-actions]

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

[github-actions]

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.