JTI claim is ignored

[billinghamj]

Seems it should go in the here as an optional field:

https://github.com/nov/openid_connect/blob/master/lib/openid_connect/response_object/id_token.rb#L9

I'm not sure if anything else in the file needs to be changed though.

[nov]

use pure JWT library for client authentication. it's not ID Token.

Sent from my iPhone

On May 13, 2015, at 02:48, James Billingham notifications@github.com wrote:

Seems it should go in the here as an optional field:

https://github.com/nov/openid_connect/blob/master/lib/openid_connect/response_object/id_token.rb#L9

I'm not sure if anything else in the file needs to be changed though.

― Reply to this email directly or view it on GitHub.

[billinghamj]

I believe the spec supports this as a valid use case.

Quoted from OpenID Connect Core 1.0:

The ID Token is a security token that contains Claims about the Authentication of an End-User

So seems it is considered client authentication.

The ID Token is represented as a JSON Web Token (JWT).

The JWT spec specifies the jti claim.

ID Tokens MAY contain other Claims.

So if I put another claim in, shouldn't it just be included without checking a list of recognized claims?

[nov]

Isn't it included in OpenIDConnect::ResponseObject::IdToken#raw_attributes? I don't get why you need to access to jti in the id_token though. (nonce should be used to prevent replay attacks)

[billinghamj]

Oh I see. I am doing this now, which seems like the correct approach:

claims = {
    iss: config[:issuer],
    sub: user.id.to_s,
    aud: client.id.to_s,
    exp: expires_at.to_i,
    iat: created_at.to_i
}

id_token = OpenIDConnect::ResponseObject::IdToken.new(claims)

id_token.to_jwt(key, :ES512) do |jwt|
    jwt[:jti] = id
end

Thanks for your help

[nov]

cool