search

okta / okta-sdk-golang

A Golang SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
https://github.com/okta/okta-sdk-golang
Other
170 stars 142 forks source link

Client assertion token does not have a jti claim, making it reusable #458

Open clementdenis opened 1 month ago

clementdenis commented 1 month ago

Describe the bug?

The ClientAssertionClaims struct in client.mustache has an ID field (jti claim)

https://github.com/okta/okta-sdk-golang/blob/097ef410838011d464266aa06e5fb720c9c7d6c2/.generator/templates/client.mustache#L1206-L1213

but this is not used in createClientAssertion

https://github.com/okta/okta-sdk-golang/blob/097ef410838011d464266aa06e5fb720c9c7d6c2/.generator/templates/client.mustache#L349-L359

What is expected to happen?

The client assertion token should have a jti claim to prevent reuse.

What is the actual behavior?

The client assertion token can be used multiple times.

Reproduction Steps?

N/A

Additional Information?

The other SDKs add a jti claim:

Golang Version

Any

SDK Version

Latest

OS version

No response

duytiennguyen-okta commented 1 month ago

https://oktainc.atlassian.net/browse/OKTA-733548

github-actions[bot] commented 3 weeks ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.

github-actions[bot] commented 1 week ago

This issue has been marked stale because there has been no activity within the last 14 days. To keep this issue active, remove the stale label.