jwt: Add JTI to counter missing nonce

ory · May 23, 2018 · 28822d7 · 28822d7
1 parent 3b44eb3
commit 28822d7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/token/jwt/claims_id_token.go b/token/jwt/claims_id_token.go
@@ -25,10 +25,12 @@ import (
 	"time"
 
 	"github.com/dgrijalva/jwt-go"
+	"github.com/pborman/uuid"
 )
 
 // IDTokenClaims represent the claims used in open id connect requests
 type IDTokenClaims struct {
+	JTI                                 string
 	Issuer                              string
 	Subject                             string
 	Audience                            string
@@ -50,11 +52,16 @@ func (c *IDTokenClaims) ToMap() map[string]interface{} {
 	ret["iss"] = c.Issuer
 	ret["aud"] = c.Audience
 	ret["nonce"] = c.Nonce
+	ret["jti"] = c.JTI
 
 	if len(c.AccessTokenHash) > 0 {
 		ret["at_hash"] = c.AccessTokenHash
 	}
 
+	if len(c.JTI) == 0 {
+		ret["jti"] = uuid.New()
+	}
+
 	if len(c.CodeHash) > 0 {
 		ret["c_hash"] = c.CodeHash
 	}

diff --git a/token/jwt/claims_id_token_test.go b/token/jwt/claims_id_token_test.go
@@ -30,6 +30,7 @@ import (
 )
 
 var idTokenClaims = &IDTokenClaims{
+	JTI:             "foo-id",
 	Subject:         "peter",
 	IssuedAt:        time.Now().UTC().Round(time.Second),
 	Issuer:          "fosite",
@@ -51,10 +52,13 @@ func TestIDTokenAssert(t *testing.T) {
 		ToMapClaims().Valid())
 	assert.Error(t, (&IDTokenClaims{ExpiresAt: time.Now().UTC().Add(-time.Hour)}).
 		ToMapClaims().Valid())
+
+	assert.NotEmpty(t, (new(IDTokenClaims)).ToMapClaims()["jti"])
 }
 
 func TestIDTokenClaimsToMap(t *testing.T) {
 	assert.Equal(t, map[string]interface{}{
+		"jti":       idTokenClaims.JTI,
 		"sub":       idTokenClaims.Subject,
 		"iat":       float64(idTokenClaims.IssuedAt.Unix()),
 		"rat":       float64(idTokenClaims.RequestedAt.Unix()),